A policy that allows identities to access all resources in an AWS account may violate the principle of least privilege. Suppose an identity has permission to access all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive information will occur.
The AWS account has more than one resource with different levels of sensitivity.
A risk exists if you answered yes to this question.
It’s recommended to apply the least privilege principle, i.e., by only granting access to necessary resources. A good practice to achieve this is to organize or tag resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.
Update permission is granted for all policies using the wildcard (*) in the Resource property:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExamplePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicyVersion"
Resource:
- "*" # Sensitive
Roles:
- !Ref MyRole
Restrict update permission to the appropriate subset of policies:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExamplePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/team1/*"
Roles:
- !Ref MyRole