CRITICAL IAM

Overly permissive IAM policies

Check ID: aws-iam-005

AWS-IAM-005 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for customer-managed IAM policies with Action: * and Resource: *, granting full admin access to all AWS services.

Why it matters

Policies with Action: * and Resource: * grant unrestricted access equivalent to root. A compromised identity with such a policy can launch cryptocurrency miners, exfiltrate all S3 data, create backdoor users, and delete CloudTrail logs to cover tracks. The 2023 Microsoft SFI review found that overly permissive policies were the root cause in 68% of cloud security incidents across their customer base. Even for admin users, AWS recommends using AWS-managed AdministratorAccess policy with SCPs rather than customer-managed wildcard policies. Building least-privilege policies using IAM Access Analyzer and CloudTrail event history takes minutes and dramatically reduces blast radius.

Common causes

Wildcard policies typically originate from development environments where engineers grant themselves full access to move fast, then those policies get replicated to staging or production. CloudFormation and Terraform templates copied from blog posts or Stack Overflow often include Action: * as a placeholder that never gets scoped down. Some teams create break-glass policies and forget to restrict them after the incident.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws iam get-policy-version --policy-arn POLICY_ARN --version-id VERSION_ID
# Create a new version with least-privilege permissions:
aws iam create-policy-version --policy-arn POLICY_ARN --policy-document file://restricted-policy.json --set-as-default

Remediation: Terraform

resource "aws_iam_policy" "restricted" {
  name = "restricted-policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect   = "Allow"
      Action   = ["s3:GetObject", "s3:ListBucket"]
      Resource = ["arn:aws:s3:::my-bucket/*"]
    }]
  })
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS STS Decode Authorization Message: Fix Access Denied →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks