Ensure IAM policy documents do not allow * (asterisk) as a statement's action

Error: IAM policy documents allow * (asterisk) as a statement's action

Bridgecrew Policy ID: BC_AWS_IAM_43
Checkov Check ID: CKV_AWS_49
Severity: HIGH

IAM policy documents allow * (asterisk) as a statement's action

Description

The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element. Each AWS service has its own set of actions that describe tasks that can be performed with that service. Specify a value using a namespace that identifies a service, for example, iam, ec2 sqs, sns, s3, followed by the name of the action to be allowed or denied. The name must match an action that is supported by the service.

We recommend you do not allow "*" (all resource) statements as part of action elements. This level of access could potentially grant unwanted and unregulated access to anyone given this policy document setting. We recommend you to write a refined policy describing the specific action allowed or required by the specific policy holder.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. In the navigation pane, choose Policies.
  4. In the list of policies, choose the policy name of the policy to edit. You can use the Filter menu and the search box to filter the list of policies.
  5. Choose the Permissions tab, then choose Edit Policy.
  6. Identify any Action statements permitting actions access to all resources ("*").
  7. On the Review page, review the policy Summary, then click Save Changes.

Fix - Buildtime

Terraform

  • Argument: statement
  • Attribute: action
    Example fix:
resource "aws_iam_policy" "example" {
   # ... other configuration ...
   policy = <<POLICY
 {
   "Version": "2012-10-17",
   "Statement": {
     "Effect": "Allow",
-    "Action": "*",
     "Resource": "*"
   }