Ensure IAM policy documents do not allow * as a statement’s action

aws_star_action_policy

Severity

high

Vendor

AWS

Resource

AWS IAM

Description

The Action element in IAM policy documents specifies the exact action or actions that are permitted or denied. Statements within these policies must include either an Action or NotAction element.

Each AWS service has its own unique set of actions that define the tasks that can be carried out with that particular service. To specify an action, you should use a namespace that identifies the service (e.g., iam, ec2, sqs, sns, s3) followed by the name of the action to be allowed or denied. The action name must correspond to an action that is supported by the service.

We strongly advise against permitting wildcard (*) statements within action elements. Allowing such broad access could potentially grant unrestricted and unintended access to anyone governed by this policy document. Instead, we recommend creating a more refined policy that explicitly describes the specific actions allowed or required for the policy holder.

Examples

Buildtime

Terraform

resource "aws_iam_policy_document" {

  statement {
    effect = "Allow"
    actions = [
      "*" (1)
    ]
    resources = [
      "arn:aws:s3:::my_corporate_bucket/*",
    ]
  }
}

1	Setting * as the value for the actions is too permissive.

Mitigation / Fix

Buildtime

Terraform

resource "aws_iam_policy_document" {
  version = "2012-10-17"

  statement {
    effect = "Allow"
    actions = [
      "s3:*",(1)
    ]
    resources = [
      "arn:aws:s3:::my_corporate_bucket/*",
    ]
  }
}

1	Ensure you have a more specific scope.