You know what gets me? Seeing environments where a single compromised credential can bring down a whole AWS account. Nine times out of ten, it’s because someone thought a wildcard was “easier.” Easier for the attacker, maybe.
Wildcard actions () and resources () in IAM policies are a huge red flag. It’s like giving someone the keys to the entire city just because they need to open one door. This isn’t just theory; I’ve seen this lead to lateral movement nightmares.
The fix is simple: granular permissions. Use IAM Access Analyzer regularly to identify and tighten overly permissive policies. For new policies, validate every single action and resource. If you can’t justify it, remove it.
You need to be ruthless here. If you’re not enforcing least privilege, you’re leaving the door wide open.
The fix
# Find policies with wildcard actions\naws iam list-policies --scope Local --query 'Policies[].Arn' --output text | \\\n xargs -I {} aws iam get-policy-version \\\n --policy-arn {} \\\n\
Reference: CIS AWS Foundations Benchmark 1.16