IAM policies should not have full “*:*” administrative privileges


IAM policies should start with a minimum set of permissions and include more as needed rather than starting with full administrative privileges. Providing full administrative privileges when unnecessary exposes resources to potentially unwanted actions.

Remediation Steps

AWS Console

  • Navigate to Identity and Access Management.

  • In the left navigation, select Policies.

  • Select the Policy and edit the document to define only the necessary permissions to ensure least privilege.

  • Repeat for each policy that allows for Allow and Action set to * and Resource set to *.


  • List all IAM users, groups, and roles that the specified managed policy is attached to:

    • aws iam list-entities-for-policy --policy-arn <policy_arn>

  • Detach the policy from all IAM Users:

    • aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>

  • Detach the policy from all IAM Groups:

    • aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

  • Detach the policy from all IAM Roles:

    • aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>


Ensure that IAM policy definitions in aws_iam_policy resources, or inline with aws_iam_group_policy, aws_iam_role_policy, and aws_iam_user_policy resources do not have Effect set to “Allow” and Action and Resource set to * in the policy block.