Attached IAM customer-managed policy does not allow '*:*' administrative privileges
iam_customer_attached_policy_no_administrative_privileges
Attached customer-managed IAM policies are evaluated for statements granting full admin access via Action: "*", Resource: "*", i.e., *:*. Only policies you created and attached to identities are considered.
Risk
Unrestricted admin access lets any attached principal perform any action on any resource, enabling data exfiltration, policy tampering, credential creation, logging disablement, and destructive deletions-compromising confidentiality, integrity, and availability across the account.
prowler aws --checks iam_customer_attached_policy_no_administrative_privileges
Recommendation
Enforce least privilege: replace wildcards with specific actions, scope Resource to needed ARNs, and add restrictive Conditions. Prefer role-based access and separation of duties. Use permissions boundaries and organization guardrails, and regularly review policies with policy validation and Access Analyzer.
Remediation
aws iam create-policy-version --policy-arn <EXAMPLE_POLICY_ARN> --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:GetUser","Resource":"*"}]}' --set-as-default
- In the AWS Console, go to IAM > Policies and open the customer managed policy from the finding
- Select the Policy versions tab and click Create version
- Replace the JSON with: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:GetUser","Resource":"*"}]}
- Check Set as default version and click Create version
- Confirm the policy no longer contains an Allow with Action "" (or ":") over Resource ""
Source Code
Resource Type
AwsIamPolicy