IAM policies should avoid using wildcards
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | MEDIUM | AWS | PERMISSION |
Description
Identity and access management (IAM) ensures that the right people and job roles in the organization can access the tools they need for their tasks. IAM policies define the permissions to resources. A too permissive policy could grant access to certain undesired resources or actions.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | True |
Misconfigured permissions or direct access to storage drives can lead to data leak.
Remediation guidelines
Replace the wildcard * permissions in the configuration file to grant only the
required ones to perform a task. Start with a minimum set of permissions and grant
additional permissions as necessary.
AWS provides tools to hint which permissions may be unneeded for your use cases: CloudTrail and the Access Advisor may give information about user access activity, while IAM Access Analyzer can facilitate refining permissions.
Learn more in AWS - Grant least privilege
References
Was this page helpful?
