Attached AWS-managed IAM policy does not allow '*:*' administrative privileges
iam_aws_attached_policy_no_administrative_privileges
IAM AWS-managed policies attached to identities are inspected for statements that allow Action:'*' on Resource:'*'-i.e., full administrative *:* permissions
Risk
Unrestricted *:* access enables any action on any resource, risking:
- Data exfiltration (confidentiality)
- Unauthorized changes and policy tampering (integrity)
- Service deletion or shutdown (availability) Attackers can disable logging, create backdoor principals, and expand lateral movement.
Run this check with Prowler CLI
prowler aws --checks iam_aws_attached_policy_no_administrative_privileges
Recommendation
Apply least privilege: avoid attaching AWS-managed policies that grant *:*.
- Use customer-managed, scoped policies per role
- Enforce separation of duties and permissions boundaries
- Prefer temporary, time-bound elevation for emergencies with MFA
- Regularly review access and use conditions to constrain context
Remediation
Native IaC
Terraform
Other
- In the AWS Console, go to IAM > Policies
- Search for the flagged AWS-managed policy (e.g., AdministratorAccess) and open it
- Click Attached entities
- Select all Users, Groups, and Roles shown and click Detach
- Confirm the policy shows 0 attached entities
- Rerun the check to verify it passes
Source Code
Resource Type
AwsIamPolicy
References