iam-policy-no-statements-with-admin-access - AWS Config


Checks the IAM policies that you create, such as identity-based or resource-based policies, for Allow statements that grant permissions to all actions on all resources. The rule is NON_COMPLIANT if any policy statement includes "Effect": "Allow" with "Action": "*" over "Resource": "*". For example, the following statement is NON_COMPLIANT:

"Statement": [ { "Sid": "VisualEditor", "Effect": "Allow", "Action": "service:*", "Resource": "*" }

This rule checks only the IAM policies that you create. It does not check IAM Managed Policies. When you enable the rule, this rule checks all of the customer managed policies in your account, and all new policies that you create.


Trigger type: Configuration changes

AWS Region: All supported AWS regions



AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.