IAM policies scope permissions to AWS resources using the Resource element in each policy statement.
When an IAM policy uses "*" in the Resource element, the granted identity can access every resource in the AWS account,
even when only a subset is needed. This violates the principle of least privilege.
An identity with overly broad permissions can read, modify, or delete resources it was never intended to access. If the account contains resources with different sensitivity levels, a compromised or misused credential exposes all of them.
Attackers who obtain credentials with wildcard resource access can exfiltrate sensitive data or escalate privileges by modifying IAM policies, roles, or other security controls across the account.
Update permission is granted for all policies when the wildcard (*) is used in the Resource property instead of
restricting access to a specific subset of resources.
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExamplePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicyVersion"
Resource:
- "*" # Noncompliant
Roles:
- !Ref MyRole
Restrict update permission to the appropriate subset of policies:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExamplePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/team1/*"
Roles:
- !Ref MyRole