Ensure customer-managed IAM policies do not grant full administrative access
Why this matters
Granting broad administrative permissions through custom IAM policies contradicts the principle of least privilege. Policies with "Action": "*"
and "Resource": "*"
effectively give unrestricted access, increasing the risk of accidental misconfigurations or exploitation by compromised credentials.
Auto Checks help surface such overly permissive policies and make it easier to tighten access based on actual operational requirements.
What this check does
This check identifies any customer-managed IAM policies that allow full administrative access across all resources.
It flags policies that:
Use "Effect": "Allow"
Combine "Action": "*"
with "Resource": "*"
This check focuses only on custom-defined (not AWS-managed) policies.
How to fix it
From the AWS Console
Sign in to the IAM Console
In the left menu, select Policies
Search for policies with administrative patterns (e.g., "admin", "fullaccess") or inspect those flagged by the check
Click into a policy and open the Policy Summary
If you see "*"
under actions and resources:
Detach the policy from any users, groups, or roles
Delete or rewrite the policy to only allow the necessary actions
From the AWS CLI
# List where a specific policy is attached
aws iam list-entities-for-policy --policy-arn <policy_arn>
# Detach from a user
aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn>
# Detach from a group
aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn>
# Detach from a role
aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>
You can use policy simulation tools in AWS IAM to test if a revised policy meets all required permissions without granting more than needed.
Exceptions
In specific operational contexts (such as break-glass or emergency roles), broader permissions may be temporarily allowed. These roles must:
- Be monitored
- Be protected with MFA
- Be documented with use-case justification
- Have alerts set for any usage