Ensure no IAM policies documents allow * as a statement’s actions

ID

iam_star_action_policy

Severity

critical

Vendor

AWS

Resource

IAM

Tags

reachable

Description

The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element.

Each AWS service has its own set of actions that describe tasks that you can perform with that service. Specify a value using a namespace that identifies a service, for example, iam, ec2 sqs, sns, s3, followed by the name of the action to be allowed or denied. The name must match an action that is supported by the service.

Setting a "\*" (all resource) statements as part of action elements would grant access to everyone, which probably is a misconfiguration, since standard security practice is to grant least privilege.

A refined policy describing the specific action allowed or required by the specific policy holder should be used instead.

See Create IAM Policies for full details, and aws_iam_policy_document for description on the Terraform IAM Policy Document data source.

Examples

CloudFormation

{
  "Resources": {
    "Policy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "CFNUsers",
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:HeadBucket",
                "*" (1)
              ],
              "Effect": "Allow",
              "Resource": [
                "arn:aws:s3:::b1",
                "arn:aws:s3:::b1/*"
              ],
              "Sid": ""
            }
          ],
          "Version": "2012-10-17"
        },
        "Groups": [
          {
            "Ref": "CFNUserGroup"
          }
        ]
      }
    }
  }
}
1 Wildcards allowing unrestricted IAM.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "Policy": { (1)
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "CFNUsers",
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:HeadBucket"
              ],
              "Effect": "Allow",
              "Resource": [
                "arn:aws:s3:::b1",
                "arn:aws:s3:::b1/*"
              ],
              "Sid": ""
            }
          ],
          "Version": "2012-10-17"
        },
        "Groups": [
          {
            "Ref": "CFNUserGroup"
          }
        ]
      }
    }
  }
}
1 No wildcards allowing unrestricted IAM.

Runtime

AWS Console

To modify the Policy settings go to the Amazon IAM Console:

  • In the navigation pane, select Policies.

  • In the list of policies, choose the policy name of the policy to edit. You can use the Filter menu and the search box to filter the list of policies.

  • Into the Permissions tab, then choose Edit Policy.

  • Review Action statements permitting actions access to all resources ("*").

  • On the Review page, review the policy Summary, then click Save Changes.