IAM policy with full wildcard administrative privileges

ID

iam_admin_policy

Severity

critical

Vendor

AWS

Resource

IAM

Tags

reachable

Description

An IAM policy allowing any access over any resource is too permissive, and it is considered a security flaw.

IAM policies is the mechanism for granting privileges to users, groups and roles. Standard security practice is to grant least privilege‚ the permissions required to perform a task. Providing full administrative permissions may expose resources to potentially unwanted actions.

See Create IAM Policies for full details, and aws_iam_policy_document for description on the Terraform IAM Policy Document data source.

Examples

CloudFormation

{
  "Resources": {
    "Policy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "CFNUsers",
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:HeadBucket",
                "*" (1)
              ],
              "Effect": "Allow",
              "Resource": [
                "arn:aws:s3:::b1",
                "arn:aws:s3:::b1/*",
                "*" (1)
              ],
              "Sid": ""
            }
          ],
          "Version": "2012-10-17"
        },
        "Groups": [
          {
            "Ref": "CFNUserGroup"
          }
        ]
      }
    }
  }
}
1 Wildcards allowing unrestricted IAM.

Terraform

data "aws_iam_policy_document" "too_permissive" {
  version = "2022-01-01"

  statement {
    effect = "Allow" // default
    actions = ["*"] (1)
    resources = ["*"] (1)
  }
}
1 Wildcards allowing unrestricted IAM.

Mitigation / Fix

The recommended practices for creating IAM policy documents with appropriate permissions is as follows:

  • Determine what users need to do, and design policies allowing them to perform only those tasks.

  • Never allow all users full administrative privileges.

  • Start with a minimum set of permissions and grant additional permissions as necessary.

  • Unrestricted IAM policies that have a statement with effect = "Allow" for any action (actions = ["*"]) over any resource (resources = ["*"]) should be edited to remove these offending statements.

You may detach policies with full administrative privileges with the aws command:

  # List users, groups, and roles with the policy.
aws iam list-entities-for-policy --policy-arn <policy_arn>

  # Detach the policy from users, groups and roles
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>