iam-policy-no-statements-with-admin-access - AWS Config


Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources. The rule is NON_COMPLIANT if any policy statement includes "Effect": "Allow" with "Action": "*" over "Resource": "*".

The following policy is NON_COMPLIANT:

"Statement": [ { "Sid": "VisualEditor", "Effect": "Allow", "Action": "*", "Resource": "*" }

The following policy is COMPLIANT:

"Statement": [ { "Sid": "VisualEditor", "Effect": "Allow", "Action": "service:*", "Resource": "*" }

This rule checks only the IAM policies that you create. It does not check IAM Managed Policies. When you enable the rule, this rule checks all of the customer managed policies in your account, and all new policies that you create.


Trigger type: Configuration changes

AWS Region: All supported AWS regions



AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.