Authorization bypass from wildcard actions in AWS IAM policy documents

Critical Risk infrastructure-security

What it is

Authorization bypass enabling any API action, leading to privilege escalation, data tampering, resource deletion, or service abuse across the account.

Why it happens

Using Action: '*' during development for convenience and failing to refine permissions before production deployment.

Root causes

Quick Development Shortcuts

Using Action: '*' during development for convenience and failing to refine permissions before production deployment.

Lack of Permission Knowledge

Not knowing the specific IAM actions required, defaulting to wildcards to ensure functionality works.

Copy-Paste from Examples

Copying overly permissive example policies from documentation or StackOverflow without understanding the security implications.

Fixes

1

Use IAM Access Analyzer

Enable IAM Access Analyzer to generate least-privilege policies based on actual CloudTrail activity.

2

Enumerate Required Actions

Replace Action: '*' with an explicit list of only the specific actions needed (e.g., s3:GetObject, s3:PutObject).

3

Add Condition Constraints

Further restrict permissions using condition keys for IP ranges, MFA requirements, or specific resource tags.

Detect This Vulnerability in Your Code

Sourcery automatically identifies authorization bypass from wildcard actions in aws iam policy documents and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities