Rules Contributing to AWS IAM Policy with Wildcard Privileges Alert

The following rules are used to detect IAM policies granting excessive permissions via wildcards. Any one or more of these will trigger the AWS IAM Policy with Wildcard Privileges Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS IAM Policy with Wildcard Privileges

Detects IAM policies that grant excessive privileges using wildcard (*) in either the Action or Resource fields. Policies with Action set to "*" or "*:*" grant full permissions to all AWS services and operations. Policies with Resource set to "*" allow actions on all resources. This violates the principle of least privilege and can lead to privilege escalation and unauthorized access to sensitive resources.

More details

Rule ID

aws_config_3

Query

{'selection1': {'configResourceType': 'AWS::IAM::Policy'}, 'selection2': {'policyVersionList|contains': ['"Resource": "*"', '"Action": "*"', '"Action": "*:*"']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0004, T1078.004

References

N/A

Severity

Suppression Logic Based On

aws.configurationItem.ARN
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2025/12/17	high	N/A