AWS Policy Created Allowing All Resources
An AWS IAM policy version was created that allows all actions on all resources, potentially leading to privilege escalation or unauthorized access.
This brief addresses the creation of an AWS IAM policy version that grants excessive permissions, specifically allowing all actions ("") on all resources (""). While the provided data is limited to the detection file's existence in Splunk's security content repository, such a policy configuration significantly elevates the risk of unauthorized access, data breaches, and privilege escalation within an AWS environment. A malicious actor or compromised user could leverage these permissions to perform virtually any operation within the AWS account. The date of publishing the detection (2026-02-25) suggests this is a known security concern.
Attack Chain
- An attacker gains access to an AWS account through compromised credentials or by exploiting a vulnerability in an application with IAM permissions.
- The attacker uses the AWS CLI or management console to create a new IAM policy or modify an existing one.
- The attacker sets the "Action" field in the policy to "*" (all actions).
- The attacker sets the "Resource" field in the policy to "*" (all resources).
- The attacker creates a new version of the policy with these permissive settings using the
CreatePolicyVersionAPI call. - The attacker attaches this policy to an IAM user, role, or group, effectively granting broad access.
- The attacker leverages these permissions to perform reconnaissance, identify sensitive data, or escalate privileges.
- The attacker exfiltrates data, modifies configurations, or launches further attacks within the AWS environment.
Impact
The impact of creating an IAM policy allowing all resources can be severe. A successful attack could lead to full compromise of the AWS environment, including data exfiltration, service disruption, and financial loss. The absence of resource-based constraints means any entity with the policy can access and modify any AWS service. The scope of the impact depends on the resources available in the AWS account, but it could potentially affect all services and data stored within.
Recommendation
- Deploy the Sigma rule
AWS IAM Policy Created Allowing All Resourcesto your SIEM and tune for your environment to detect the creation of overly permissive policies. - Review all existing IAM policies and roles for overly permissive configurations, specifically looking for policies with
Action: "*"andResource: "*". - Implement the principle of least privilege when assigning IAM permissions, granting only the minimum necessary access required for each user or role.
- Enable AWS CloudTrail to log all API calls, including
CreatePolicyVersion, to provide an audit trail of IAM policy changes.
Detection coverage 2
AWS IAM Policy Created Allowing All Resources
highDetects the creation of an AWS IAM policy version that allows all actions on all resources.
AWS IAM Policy Updated to Allow All Resources
highDetects an update to an AWS IAM policy version that allows all actions on all resources.
Detection queries are available on the platform. Get full rules →