criticalInfrastructure

Overly Permissive AWS IAM Policies

What Is This Vulnerability?

An AWS IAM role or policy that grants wildcard permissions (such as Action: * or Resource: *) gives far more access than needed. If an attacker compromises a service or user with this role, they gain unrestricted control over your entire AWS account, including the ability to create new users, exfiltrate data, or delete resources.

Why It Happens

Teams often use overly broad IAM policies during development because fine-grained policies take time to author. Managed policies like AdministratorAccess get attached to service roles for convenience. Without regular audits, these permissive policies persist into production and accumulate over time.

Example Code

Vulnerableiam-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
Fixediam-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-app-uploads/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/users"
    }
  ]
}

How Hackers Exploit It

Attackers who compromise any resource attached to an overprivileged IAM role can escalate privileges across the entire AWS account. They can create new IAM users with console access, spin up cryptocurrency miners on EC2, access all S3 buckets, read secrets from Secrets Manager, and modify CloudTrail logs to cover their tracks.

How to Fix It

Follow the principle of least privilege by granting only the specific actions and resources each service needs. Use IAM Access Analyzer to identify unused permissions and tighten policies. Set permission boundaries on roles. Schedule regular IAM credential reports and remove unused roles. Use AWS Organizations SCPs to set account-wide guardrails.

Frequently Asked Questions

How do I find overly permissive IAM policies?
Use IAM Access Analyzer to identify policies granting broad access. You can also run 'aws iam get-account-authorization-details' and search for policies containing Action: * or Resource: *. Tools like Prowler and ScoutSuite automate this scanning across your account.
What is the principle of least privilege for IAM?
It means granting each identity (user, role, or service) only the minimum permissions required to perform its specific task. Instead of allowing all S3 actions, you would allow only s3:GetObject on the specific bucket the service needs to read from.
Are AWS managed policies safe to use?
Some are, but policies like AdministratorAccess or PowerUserAccess are intentionally broad and should never be attached to service roles. Prefer creating custom policies scoped to exact actions and resources. If you use managed policies, review their permissions and pair them with permission boundaries.

Related Security Topics

Docker Socket Exposed to Containers

Learn about docker socket exposed to containers and how to fix it.

Git Directory Accessible via Web Server

Learn about git directory accessible via web server and how to fix it.

GraphQL Introspection Enabled in Production

Learn about graphql introspection enabled in production and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by overly permissive aws iam policies.