Customer managed IAM policy does not allow cloudtrail:* privileges
iam_policy_no_full_access_to_cloudtrail
Custom IAM policies are reviewed for statements that grant full CloudTrail access via the cloudtrail:* wildcard, indicating unrestricted permission to all CloudTrail actions.
Risk
Unrestricted CloudTrail control lets principals stop or alter logging, delete or modify trails, and query events.
This enables log evasion, audit tampering, and reconnaissance, undermining the integrity, availability, and confidentiality of audit evidence and detection.
prowler aws --checks iam_policy_no_full_access_to_cloudtrail
Recommendation
Apply least privilege: avoid cloudtrail:* and allow only required actions.
Enforce separation of duties for trail management. Use permissions boundaries or SCPs to block broad CloudTrail access, and validate policies regularly to refine scopes.
Remediation
aws iam create-policy-version --policy-arn <example_policy_arn> --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"cloudtrail:DescribeTrails","Resource":"*"}]}' --set-as-default
- In the AWS Console, go to IAM > Policies
- Open the custom managed policy that contains Action: "cloudtrail:*"
- Click Edit JSON
- Replace "cloudtrail:*" with only the specific CloudTrail actions needed (e.g., "cloudtrail:DescribeTrails" or "cloudtrail:LookupEvents"), or remove CloudTrail actions entirely
- Save changes to create/set the new default policy version
- Verify the policy no longer contains "cloudtrail:*"
Source Code
Resource Type
AwsIamPolicy