Admin Permissions Check
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
iam-policy-no-statements-with-admin-access |
|
Identifier |
iam-policy-no-statements-with-admin-access |
|
Description |
If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is noncompliant. |
|
Tag |
iam |
|
Trigger Type |
Configuration change |
|
Filter Type |
iam.roles, iam.policies |
|
Configure Rule Parameters |
None |
Applicable Scenario
This rule allows you to detect IAM users, user groups, and agencies that have unintended policies attached. An IAM policy with the action element set to *:*:*, *:*, or * is of high security risk.
Solution
The administrator can modify noncompliant IAM policies or roles. For more details, see Modifying or Deleting a Custom Policy.
Rule Logic
- If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is noncompliant.
- If a custom policy or role does not allow all actions for all cloud services, this policy or role is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
