AWS IAM Least-Privilege Audit: Eliminating Wildcard Permissions
Introduction
Wildcard permissions ("*") in AWS IAM policies violate the principle of least privilege, creating unnecessary security risks. This guide demonstrates how to identify and remediate over-permissive policies using AWS-native tools.
Why Wildcards Are Dangerous
- Over-Privileged Access: Grants unintended permissions across entire AWS services
- Attack Surface Expansion: Increases risk of credential compromise abuse
- Compliance Violations: Fails standards like CIS AWS Foundations Benchmark
Identification Methods
# Example dangerous policy
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "*"
}
Automated Detection Tools:
- AWS Access Analyzer: Scans for externally shared wildcards
- IAM Policy Simulator: Tests permissions against specific actions
- AWS Config Rules:
iam-policy-no-statements-with-admin-access
Remediation Steps
- Action-Level Granularity:
# Least-privilege alternative
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::specific-bucket/*"
}
Resource Constraints:
- Replace
"Resource": "*"with explicit ARNs - Implement condition keys (e.g.,
aws:RequestedRegion)
- Replace
Access Advisor Utilization:
- Review last-accessed timestamps in IAM Console
- Remove unused permissions
Continuous Monitoring
- Enable IAM Access Analyzer for policy validation
- Implement permission boundaries for human users
- Schedule quarterly policy reviews with AWS Config
Advanced Techniques
- SCP Chaining: Combine service control policies with IAM
- AWS Backup Vault Lock: Prevent wildcard deletion rights
- Cross-Account Conditionals: Restrict
sts:AssumeRolewithaws:PrincipalAccount