AWS IAM policy documents allow * (asterisk) as a statement's action
Description
This policy ensures that IAM policy documents do not allow "" as a statement's actions. Allowing "" in the actions of an IAM policy grants permissions to all actions, which can lead to potential security risks and unauthorized access. This policy checks whether any IAM policy documents contain statements with `"Action": "*"`, which should be avoided.
Code Example
go
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
- "*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}Remediation
Terraform
- Resource: aws_iam_policy
- Arguments: policy - (Required) The policy document.
This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0116 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_63 |