Prevent IAM identities from having inline policies with unrestricted access
Why this matters
Inline IAM policies are directly attached to users, roles, or groups. Unlike managed policies, they are harder to audit and reuse, and often introduce overly broad permissions without oversight. If an inline policy grants unrestricted access using "Action": "*"
, it effectively gives full admin rights—violating the principle of least privilege.
This check ensures that inline policies do not introduce unnecessary risk and encourages use of managed policies for better control and visibility.
What this check does
This check evaluates all IAM users, roles, and groups with attached inline policies and verifies whether any of those policies contain:
"Effect": "Allow"
"Action": "*"
"Resource": "*"
It passes if no inline policies grant full admin access. It fails if any inline policy allows unrestricted access.
How to fix it
From the AWS Console
Sign in to the IAM Console
Go to Users, Groups, or Roles
Select each identity and scroll to the Inline Policies section
Review the inline policy document
If the policy grants "Action": "*"
and "Resource": "*"
, click Delete
Replace it with a managed policy that only grants necessary permissions
From the AWS CLI
You can list and evaluate inline policies using these commands:
# List inline policies for a user
aws iam list-user-policies --user-name <user-name>
# Delete an inline policy
aws iam delete-user-policy --user-name <user-name> --policy-name <policy-name>
Repeat for list-group-policies
and list-role-policies
if needed.
Best Practices
Prefer managed policies over inline policies for easier governance
Always design policies based on specific job functions
Use policy simulation tools to test for over-permissioning before deployment
Exceptions
There are no widely accepted exceptions to this rule. In rare edge cases, a tightly scoped inline policy may be allowed temporarily, but this should be clearly documented and removed after use.