IAM policy documents allow * (asterisk) as a statement's action

Description

The Action element in IAM policies defines the specific actions that are either permitted or denied. Each policy statement must include either an Action or NotAction element. AWS services each have a predefined set of actions that represent tasks that can be performed within the service. To define an action, use the service’s namespace (e.g., iam, ec2, sqs, sns, s3), followed by the specific action name that should be allowed or denied. The action name must correspond to a valid action supported by the service.

It is strongly recommended to avoid using "*" (wildcard) in the Action element, as it grants broad access to all actions within the specified service. This level of access can lead to excessive permissions and potential unauthorized access. Instead, write precise policies that clearly define the specific actions required by the policy holder, thereby minimizing the scope of access and ensuring more granular control over permissions.

AWS Console

Fix - Runtime

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. In the navigation pane, choose Policies.
  4. In the list of policies, choose the policy name of the policy to edit. You can use the Filter menu and the search box to filter the list of policies.
  5. Choose the Permissions tab, then choose Edit Policy.
  6. Identify any Action statements permitting actions access to all resources (“*”).
  7. On the Review page, review the policy Summary, then click Save Changes.

Fix - Buildtime

Terraform

  • Argument: statement
  • Attribute: action
    Example fix:

go aws_iam_policy resource "aws_iam_policy" "example" { # ... other configuration ... policy = <<POLICY { "Version": "2012-10-17", "Statement": { "Effect": "Allow", - "Action": "*", "Resource": "*" }

ReLambda