Drata validates that AWS IAM policies that allow broad access patterns or wild-card permissions (e.g., '*') are not used.

IAM policies are the means by which privileges are granted to users, groups, or roles. It
is recommended and considered a standard security advice to grant least privilege that
is, granting only the permissions required to perform a task. Determine what users need
to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
​
It's more secure to start with a minimum set of permissions and grant additional
permissions as necessary, rather than starting with permissions that are too lenient and
then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

This test is part of the Principle of Least Privilege control (DCF-776) that ensures your company assigns permissions through groups or roles based on the principle of least privilege and limits the use of wild-card permissions or broad-access patterns.

If Drata finds that there are AWS IAM policies that allow broad access patterns or wild-card permissions, the test will fail. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.