The AWS Managed IAMFullAccess IAM policy should not be used

Description

This policy detects situations where the AWS Managed IAMFullAccess IAM policy is being used. The IAMFullAccess policy grants full permissions to manage all aspects of IAM, which can be a security threat if not managed correctly.

Code Example

resource "aws_iam_role_policy_attachment" "example" {
  role       = "example"
  policy_arn = "arn:aws:iam::aws:policy/AnotherIAMPolicyWithLeastPrivilege"
}

Remediation

Terraform

Resource: aws_iam_role_policy_attachment
Arguments: policy_arn

To fix, it's recommended to replace IAMFullAccess with more granular, least privilege policies that limit scope of permissions. Remove policy_arn = "arn:aws:iam::aws:policy/IAMFullAccess" and replace it with the ARN of the least privilege policy.

Secure code example:

Rule Details

Field	Value
ID	IAC-0490
Severity	HIGH
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV2_AWS_56

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

The AWS Managed IAMFullAccess IAM policy should not be used

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

The AWS Managed IAMFullAccess IAM policy should not be used ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

The AWS Managed IAMFullAccess IAM policy should not be used

Description

Code Example

Remediation

Rule Details

References