Control: IAM policies should not allow full '*' administrative privileges
Description
This control checks whether the default version of IAM policies (also known as customer managed policies) has administrator access that includes a statement with 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'. The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_policy_custom_attached_no_star_starSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_policy_custom_attached_no_star_star --shareSQL
This control uses a named query:
-- This query checks the customer managed policies having * access and attached to IAM resource(s)with star_access_policies as ( select arn, count(*) as num_bad_statements from aws_iam_policy, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Resource') as resource, jsonb_array_elements_text(s -> 'Action') as action where not is_aws_managed and s ->> 'Effect' = 'Allow' and resource = '*' and ( (action = '*' or action = '*:*' ) ) and is_attached group by arn)select p.arn as resource, case when s.arn is null then 'ok' else 'alarm' end status, p.name || ' contains ' || coalesce(s.num_bad_statements,0) || ' statements that allow action "*" on resource "*".' as reason , p.account_idfrom aws_iam_policy as p left join star_access_policies as s on p.arn = s.arnwhere not p.is_aws_managed;