Prevent IAM Inline Policies from Granting Full CloudTrail Access

Framework Reference: A.8.2 (Information Access Restrictions) Integration: AWS – IAM

Why this matters

IAM policies that include "Action": "cloudtrail:*" grant full permissions to AWS CloudTrail, including the ability to disable logging or delete audit records. This undermines your ability to:

Maintain a reliable audit trail of account activity

Detect unauthorized behavior or suspicious events

Satisfy compliance requirements for log integrity

Granting broad CloudTrail permissions contradicts the principle of least privilege and can enable malicious actors or misconfigured systems to cover their tracks by modifying or removing audit logs.


What this check does

This Auto Check verifies whether any inline IAM policies in your AWS account contain:

Actions that include cloudtrail:*

Broad access across all resources (e.g., "Resource": "*")

Explicit allow statements ("Effect": "Allow") for CloudTrail service operations

The check will fail if such risky permissions are detected in any inline policy.


How to fix it

You should remove or restrict any IAM inline policies that grant full CloudTrail access.

From the AWS Console

Open the IAM Console.

Navigate to Policies and search for policies with cloudtrail:* permissions.

Review the attached identities (users, groups, or roles).

Detach the policy from all attached entities.

Delete the policy if it’s no longer needed.

Create a more specific policy that grants only necessary CloudTrail permissions (e.g., read-only access for auditors).

Using AWS CLI

# List all entities using a policy aws iam list-entities-for-policy --policy-arn <policy_arn> # Detach from user aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn> # Detach from group aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn> # Detach from role aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>


Exceptions

If you are using automated provisioning tools or delegated administrative roles, ensure:

CloudTrail access is limited to monitoring or compliance personnel

Any temporary elevated access is logged and removed after use

Inline policies are reviewed periodically via automation or audits


Further Resources

IAM Best Practices – AWS Documentation

IAM Policy Structure

AWS CLI IAM Reference

Was this article helpful?