Policies that grant all permissions violate the principle of least privilege.
Policies that grant all permissions — for example by using a wildcard (*) in the action field or by assigning an overly permissive
role such as roles/owner — give an identity unrestricted access to all operations on a resource. Following the principle of least
privilege, policies should grant only the minimum set of permissions required for the identity to perform its intended function. Overly permissive
policies increase the risk of unintentional data modification, data exposure, or full cloud environment compromise if an identity is misused or
stolen.
An attacker who gains control of an identity with full permissions can perform any operation on any resource, including reading, modifying, or deleting sensitive data. They can also escalate privileges by creating new identities or modifying other policies, potentially leading to a full compromise of the cloud environment.
The following code grants full permissions to identities instead of limiting them to only those required.
resource "aws_iam_policy" "example" {
name = "noncompliantpolicy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"*" # Noncompliant
]
Effect = "Allow"
Resource = [
aws_s3_bucket.mybucket.arn
]
}
]
})
}
resource "aws_iam_policy" "example" {
name = "compliantpolicy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:GetObject"
]
Effect = "Allow"
Resource = [
aws_s3_bucket.mybucket.arn
]
}
]
})
}
The following code grants full permissions to identities instead of limiting them to only those required.
resource "google_project_iam_binding" "example" {
project = "example"
role = "roles/owner" # Noncompliant
members = [
"user:jane@example.com",
]
}
resource "google_project_iam_binding" "example" {
project = "example"
role = "roles/actions.Viewer"
members = [
"user:jane@example.com",
]
}