Prevent IAM Inline Policies from Granting Full CloudTrail Access
Why this matters
IAM policies that include "Action": "cloudtrail:*" grant full permissions to AWS CloudTrail, including the ability to disable logging or delete audit records. This undermines your ability to:
Maintain a reliable audit trail of account activity
Detect unauthorized behavior or suspicious events
Satisfy compliance requirements for log integrity
Granting broad CloudTrail permissions contradicts the principle of least privilege and can enable malicious actors or misconfigured systems to cover their tracks by modifying or removing audit logs.
What this check does
This Auto Check verifies whether any inline IAM policies in your AWS account contain:
Actions that include cloudtrail:*
Broad access across all resources (e.g., "Resource": "*")
Explicit allow statements ("Effect": "Allow") for CloudTrail service operations
The check will fail if such risky permissions are detected in any inline policy.
How to fix it
You should remove or restrict any IAM inline policies that grant full CloudTrail access.
From the AWS Console
Open the IAM Console.
Navigate to Policies and search for policies with cloudtrail:* permissions.
Review the attached identities (users, groups, or roles).
Detach the policy from all attached entities.
Delete the policy if itβs no longer needed.
Create a more specific policy that grants only necessary CloudTrail permissions (e.g., read-only access for auditors).
Using AWS CLI
# List all entities using a policy
aws iam list-entities-for-policy --policy-arn <policy_arn>
# Detach from user
aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn>
# Detach from group
aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn>
# Detach from role
aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>
Exceptions
If you are using automated provisioning tools or delegated administrative roles, ensure:
CloudTrail access is limited to monitoring or compliance personnel
Any temporary elevated access is logged and removed after use
Inline policies are reviewed periodically via automation or audits