IAM Customer Managed Policies That You Create Should Not Allow Wildcard Actions for Services

So you've set up an IAM customer managed policy and it looks great, but then you go to the service permissions tab and after some thought decide that the wildcard actions offered there don't quite meet your needs. You can make any number of changes to a customer managed policy by modifying its JSON template, but if you try to remove one of the wildcard actions entirely or change its name (which is what we're doing here), you'll get an error message like this one:

"You cannot delete this element because it is required by another element."

If * wildcards are used in the Allow statements, then someone with knowledge of the policy could use it to gain unintended access to that service.

If * wildcards are used in the Allow statements, then someone with knowledge of the policy could use it to gain unintended access to that service.

This is because the policy allows access to all services and all actions on those services. This is different from not using a wildcard at all (that would be *), which would only allow access to one specific service.

A more secure approach is to create IAM policies that specify only the AWS services and API actions that are required to complete essential tasks.

A more secure approach is to create IAM policies that specify only the AWS services and API actions that are required to complete essential tasks. By eliminating permissions for AWS services and API actions that are not needed, you reduce the potential damage that an attacker could do if an account becomes compromised.

For example, if you have a customer managed policy in place but don't require Amazon S3 buckets or Lambda functions, then you should remove those permissions from the policy before it's used.

Even better would be to have an automated process take care of managing your IAM policies when they're created or updated. You can use tools like CloudFormation (for public) or Terraform (for private) to create a template for creating new resources with specific IAM policies attached so it's easier to manage these things across multiple accounts at once rather than doing them manually one by one.

By eliminating permissions for AWS services and API actions that are not needed, you reduce the potential damage that an attacker could do if an account becomes compromised.

By eliminating permissions for IAM customer-managed policies that are not needed, you reduce the potential damage that an attacker could do if an account becomes compromised. If a role does not have the necessary permissions to access your AWS resources, the attacker would not be able to perform any other actions on those resources. By eliminating unnecessary permissions, you ensure that AWS credentials cannot be used to access your data or information anywhere else in AWS.

When you create an IAM customer-managed policy, you specify the type of access that is allowed.

Conclusion

The best way to eliminate unnecessary permissions is to create IAM policies that specify only the AWS services and API actions that are required to complete essential tasks. This practice reduces the risk of unintended access to AWS resources by limiting the permissions that someone with knowledge of the policy could use it to gain access.