Audit an AWS IAM policy for wildcard grants, public principals, missing conditions and privilege-escalation actions.
- criticalFull administrative accessSid "AdminEverything"
Allows every action ("*") on every resource ("*") — equivalent to AdministratorAccess.
- highPrivilege-escalation actionsSid "AdminEverything"
Grants actions that can be chained to escalate privileges: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:PassRole, iam:CreateAccessKey, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, sts:AssumeRole, lambda:CreateFunction, glue:CreateDevEndpoint, cloudformation:CreateStack. iam:PassRole on Resource "*" with no Condition lets a principal pass any role to a service.
- highPrivilege-escalation actionsSid "PassAnyRole"
Grants actions that can be chained to escalate privileges: iam:PassRole, lambda:CreateFunction. iam:PassRole on Resource "*" with no Condition lets a principal pass any role to a service.
- mediumResource "*"Sid "PassAnyRole"
Statement applies to every resource. Scope to specific ARNs where possible.
- lowNo Condition on a broad grantSid "AdminEverything"
Consider scoping with conditions (e.g. aws:SourceIp, aws:PrincipalOrgID, MFA).
- lowNo Condition on a broad grantSid "PassAnyRole"
Consider scoping with conditions (e.g. aws:SourceIp, aws:PrincipalOrgID, MFA).
