Restrict IAM policies with full 'asterisk-asterisk' administrative privileges Low

Creation of IAM policies that allow full 'asterisk-asterisk' administrative privileges is detected. Make sure to prohibit the creation of IAM policies that allow full 'asterisk-asterisk' administrative privileges.

Detector ID
terraform/restrict-asterisk-iam-admin-policies-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1data "aws_iam_policy_document" "policy" {
2  version = "2012-10-17"
3
4  # Noncompliant: This IAM policy allows full "*-*" administrative privileges.
5  statement {
6    actions = ["*"]
7    effect  = "Allow"
8    resources = [
9      "*"
10    ]
11  }
12}

Compliant example

1data "aws_iam_policy_document" "policy" {
2  version = "2012-10-17"
3
4  # Compliant: This IAM policy restricts administrative privileges.
5  statement {
6    actions = ["S3:*"]
7    effect  = "Allow"
8    resources = [
9      "*"
10    ]
11  }
12}