AWS Config Rule: IAM POLICY NO STATEMENTS WITH ADMIN ACCESS
IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
Fernando Honig
Last Update 2 years ago
Description: Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources. The rule is NON_COMPLIANT if any policy statement includes "Effect": "Allow" with "Action": "*" over "Resource": "*". This rule checks only the IAM policies that you create. It does not check IAM Managed Policies. When you enable the rule, this rule checks all of the customer-managed policies in your account, and all new policies that you create.
Trigger type: Configuration changes
AWS Region: All supported AWS regions
How to Resolve Manually
To resolve this manually, you need to sign up to your AWS Management Console and go to IAM (Identity and Access Management).
Select the NON_COMPLIANT IAM Policy that has Effect: Allow, Action: * and Resource: *.
You need to list all services and actions required for and the specific resources. You may need to add multiple statements to replace the Action: * and Resource: * according to your needs.
Make sure to test if your Role/User/User group is still working as expected after you replace the Admin Access policy.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here
