A policy that allows identities to access all resources in an AWS account may violate the principle of least privilege. Suppose an identity has permission to access all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive information will occur.
The AWS account has more than one resource with different levels of sensitivity.
A risk exists if you answered yes to this question.
It’s recommended to apply the least privilege principle, i.e., by only granting access to necessary resources. A good practice to achieve this is to organize or tag resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.
The wildcard "*" is specified as the resource for this PolicyStatement. This grants the update permission for all
policies of the account:
import { aws_iam as iam } from 'aws-cdk-lib'
new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ["iam:CreatePolicyVersion"],
resources: ["*"] // Sensitive
})
]
})
Restrict the update permission to the appropriate subset of policies:
import { aws_iam as iam } from 'aws-cdk-lib'
new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ["iam:CreatePolicyVersion"],
resources: ["arn:aws:iam:::policy/team1/*"]
})
]
})