Control: 1 IAM policies should not allow full '*' administrative privileges
This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has
"Effect": "Allow" with "Action": "" over "Resource": "".
It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as "S3:*".
It does not check for inline and AWS managed policies.
- Open the IAM console.
- Choose Policies.
- Choose the radio button next to the policy to remove.
- From Policy actions, choose Detach.
- On the Detach policy page, choose the radio button next to each user to detach the policy from and then choose Detach policy.
- Confirm that the user that you detached the policy from can still access AWS services and resources as expected.
steampipe check aws_compliance.control.foundational_security_iam_1
This control uses a named query:iam_policy_no_star_star