Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Identity and Access Management/ Custom Policies Do Not Allow All Actions for a Service
Updated on 2024-12-10 GMT+08:00

Custom Policies Do Not Allow All Actions for a Service

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

iam-role-has-all-permissions

Identifier

iam-role-has-all-permissions

Description

If a custom policy or role allows all actions for a cloud service, this policy or role is noncompliant.

Tag

iam

Trigger Type

Configuration change

Filter Type

iam.roles, iam.policies

Configure Rule Parameters

None

Applicable Scenario

This rule allows you to ensure that your IAM users or agencies do not have unintended permissions attached. To ensure resource security, an IAM role or policy should not allow all actions for a cloud service.

Solution

The administrator can modify noncompliant IAM policies or roles. For more details, see Modifying or Deleting a Custom Policy.

Rule Logic

  • If a custom policy or role allows all actions for a cloud service, this policy or role is noncompliant.
  • If a custom policy or role denies one or more actions for a cloud service, this policy or role is compliant.