AWS Config Rule: IAM POLICY NO STATEMENTS WITH ADMIN ACCESS

IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS

Fernando Honig

Last Update hace 2 años

Description: Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources. The rule is NON_COMPLIANT if any policy statement includes "Effect": "Allow" with "Action": "*" over "Resource": "*". This rule checks only the IAM policies that you create. It does not check IAM Managed Policies. When you enable the rule, this rule checks all of the customer-managed policies in your account, and all new policies that you create.


Trigger type: Configuration changes


AWS Region: All supported AWS regions


How to Resolve Manually

To resolve this manually, you need to sign up to your AWS Management Console and go to IAM (Identity and Access Management).


Select the NON_COMPLIANT IAM Policy that has Effect: Allow, Action: * and Resource: *. 


You need to list all services and actions required for and the specific resources. You may need to add multiple statements to replace the Action: * and Resource: * according to your needs.


Make sure to test if your Role/User/User group is still working as expected after you replace the Admin Access policy.



Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us