A policy that allows identities to access all resources in an AWS account may violates the principle of least privilege. Suppose an identity has permission to access all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive information will occur.
The AWS account:
There is a risk if you answered yes to any of this question.
It’s recommended to apply the least privilege principle, i.e. by only granting access to necessary resources. A good practice to achieve this is to organize or tag resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.
Update permission is granted for all policies using the wildcard (*) in the Resource property:
MyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicyVersion"
Resource:
- "*" # Sensitive
Roles:
- !Ref MyRole
Restrict update permission to the appropriate subset of policies:
MyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/team1/*"
Roles:
- !Ref MyRole
No issue is reported when on Key policies in AWS KMS.