IAM policies scope permissions to AWS resources using the Resource element in each policy statement.

Why is this an issue?

When an IAM policy uses "*" in the Resource element, the granted identity can access every resource in the AWS account, even when only a subset is needed. This violates the principle of least privilege.

What is the potential impact?

Unauthorized access to sensitive resources

An identity with overly broad permissions can read, modify, or delete resources it was never intended to access. If the account contains resources with different sensitivity levels, a compromised or misused credential exposes all of them.

Data disclosure and privilege escalation

Attackers who obtain credentials with wildcard resource access can exfiltrate sensitive data or escalate privileges by modifying IAM policies, roles, or other security controls across the account.

How to fix it

Code examples

Update permission is granted for all policies when the wildcard (*) is used in the Resource property instead of restricting access to a specific subset of resources.

Noncompliant code example

resource "aws_iam_policy" "noncompliantpolicy" {
  name        = "noncompliantpolicy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "iam:CreatePolicyVersion"
        ]
        Effect   = "Allow"
        Resource = [
          "*" # Noncompliant
        ]
      }
    ]
  })
}

Compliant solution

Restrict update permission to the appropriate subset of policies:

resource "aws_iam_policy" "compliantpolicy" {
  name        = "compliantpolicy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "iam:CreatePolicyVersion"
        ]
        Effect   = "Allow"
        Resource = [
          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/team1/*"
        ]
      }
    ]
  })
}

Resources

Documentation

AWS Documentation - Grant least privilege