Inline IAM policy does not allow 'cloudtrail:*' privileges
iam_inline_policy_no_full_access_to_cloudtrail
IAM inline policies are evaluated for statements that grant full CloudTrail permissions (cloudtrail:*) to all resources.
The finding flags identity policies that provide unrestricted control over CloudTrail operations.
Risk
Full CloudTrail access allows stopping trails, modifying configurations, or deleting audit data, compromising log integrity and availability. It also exposes event data, impacting confidentiality. Adversaries could hide activity, evade detection, and obstruct investigations.
prowler aws --checks iam_inline_policy_no_full_access_to_cloudtrail
Recommendation
Enforce least privilege and separation of duties: avoid cloudtrail:*; grant only specific actions needed (prefer read-only where possible). Add guardrails or boundaries to block destructive actions. Use managed, centrally governed policies and periodically right-size permissions based on usage.
Remediation
- Open the IAM console and go to Users, Roles, or Groups
- Select the entity with the failing inline policy
- In Permissions, expand Inline policies and open the policy
- Click Edit policy and switch to the JSON editor
- Replace any "Action": "cloudtrail:*" with only required CloudTrail actions (e.g., "cloudtrail:DescribeTrails"), or remove that statement if not needed
- Save changes
Source Code
Resource Type
AwsIamPolicy