Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureAuto Checks Integration Guide for AzureAuto Checks Integration Guide for GCP
AWS Auto Checks Detailed Explanations
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Prevent IAM Inline Policies from Granting Full CloudTrail Access

Framework Reference: A.8.2 (Information Access Restrictions) Integration: AWS – IAM

Why this matters

IAM policies that include "Action": "cloudtrail:*" grant full permissions to AWS CloudTrail, including the ability to disable logging or delete audit records. This undermines your ability to:

Maintain a reliable audit trail of account activity

Detect unauthorized behavior or suspicious events

Satisfy compliance requirements for log integrity

Granting broad CloudTrail permissions contradicts the principle of least privilege and can enable malicious actors or misconfigured systems to cover their tracks by modifying or removing audit logs.

What this check does

This Auto Check verifies whether any inline IAM policies in your AWS account contain:

Actions that include cloudtrail:*

Broad access across all resources (e.g., "Resource": "*")

Explicit allow statements ("Effect": "Allow") for CloudTrail service operations

The check will fail if such risky permissions are detected in any inline policy.

How to fix it

You should remove or restrict any IAM inline policies that grant full CloudTrail access.

From the AWS Console

Open the IAM Console.

Navigate to Policies and search for policies with cloudtrail:* permissions.

Review the attached identities (users, groups, or roles).

Detach the policy from all attached entities.

Delete the policy if it’s no longer needed.

Create a more specific policy that grants only necessary CloudTrail permissions (e.g., read-only access for auditors).

Using AWS CLI

# List all entities using a policy aws iam list-entities-for-policy --policy-arn <policy_arn> # Detach from user aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn> # Detach from group aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn> # Detach from role aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>

Exceptions

If you are using automated provisioning tools or delegated administrative roles, ensure:

CloudTrail access is limited to monitoring or compliance personnel

Any temporary elevated access is logged and removed after use

Inline policies are reviewed periodically via automation or audits

Further Resources

IAM Best Practices – AWS Documentation

IAM Policy Structure

AWS CLI IAM Reference

Was this article helpful?

Powered by Product Fruits