Custom IAM policy does not allow 'aws-marketplace:Subscribe' on all resources
iam_policy_no_wildcard_marketplace_subscribe
Customer-managed IAM policies are examined for statements that grant aws-marketplace:Subscribe on all resources (*). This action controls the ability to subscribe to AWS Marketplace products, including Amazon Bedrock foundation models, and should be scoped to specific product ARNs to enforce least privilege.
Risk
Granting aws-marketplace:Subscribe on all resources allows subscribing to any Marketplace product, including expensive Bedrock foundation models, leading to uncontrolled costs, shadow AI usage, and compliance violations from unapproved deployments.
prowler aws --checks iam_policy_no_wildcard_marketplace_subscribe
Recommendation
Replace Resource: "*" with specific, approved AWS Marketplace product ARNs. Apply the principle of least privilege to aws-marketplace:Subscribe permissions to prevent unauthorized subscriptions to costly Bedrock models and other Marketplace products.
Remediation
aws iam create-policy-version --policy-arn <POLICY_ARN> --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["aws-marketplace:Subscribe"],"Resource":"arn:aws:aws-marketplace::<ACCOUNT_ID>:product/<PRODUCT_ID>"}]}' --set-as-default
- In the AWS Console, open IAM > Policies
- Find the custom policy that allows aws-marketplace:Subscribe on Resource: *
- Click Edit and switch to the JSON editor
- Replace "Resource": "*" with specific, approved AWS Marketplace product ARNs
- Save changes and re-run the check to confirm it passes
Source Code
Resource Type
AwsIamPolicy
References
Related To
- iam_inline_policy_no_wildcard_marketplace_subscribe