The asterisk (*) is the most dangerous character in cloud computing.
When a developer is blocked by a “Permission Denied” error at 2 AM, the temptation to just add "Action": "" or "Resource": "" is overwhelming. It fixes the immediate problem. The deployment succeeds. The ticket is closed.
But that single asterisk has just planted a dormant time bomb in your AWS account. You haven’t just granted access to “that one bucket”; you might have accidentally granted permission to delete every bucket, or worse, pass administrative roles to untrusted EC2 instances.
In this guide, we are going to move beyond the generic “follow least privilege” advice. We will dig into the specific, high-risk IAM actions you need to audit right now, how to spot privilege escalation paths, and how to visualize these invisible threats before an attacker does.
- The Risk: Wildcards in Action (e.g., iam:*) allow users to create new admins or bypass safeguards.
- The “Hidden” Killer: iam:PassRole combined with ec2:RunInstances allows any user to become an Admin.
- The Fix: Audit your JSON files manually or use our IAM Policy Visualizer to map out permissions graphically.
1. Why Wildcards Are Worse Than You Think
Most developers understand that "Action": "s3:*" is bad. It allows deleting data. But the nuance of AWS permissions means that wildcards often grant powers you didn’t even know existed.
The “Future-Proofing” Trap
When you use a wildcard, you grant permission for all current API actions and any future actions AWS adds.
For example, if you granted dynamodb:* in 2018, you intended to allow reading/writing tables. But when AWS later released DynamoDB Streams or PartiQL, that policy automatically granted access to those new features without you reviewing them. You are effectively pre-approving permissions for services that don’t exist yet.
2. The “Toxic Combinations” to Audit
Searching for * isn’t enough. You need to look for specific combinations of permissions that attackers use for Privilege Escalation.
A. The iam:PassRole Escalation
This is the classic AWS hack. If a user has ec2:RunInstances and iam:PassRole, they can launch a new EC2 instance and assign it an existing “Admin” role. They then log into that instance and—surprise—they are now Admins.
Audit Check: Search your policies for:
{ "Effect": "Allow", "Action": [ "iam:PassRole", "ec2:RunInstances" ], "Resource": "*" }If you see Resource: * next to iam:PassRole, you have a critical vulnerability. The resource must always be restricted to a specific, low-privilege ARN.
B. The glue:UpdateDevEndpoint Backdoor
AWS Glue is often overlooked. But if a user has glue:UpdateDevEndpoint, they can modify an existing development endpoint to use a new SSH key. This gives them shell access to the Glue environment, which often has broad VPC access.
3. How to Audit Your Policies (Manual vs. Visual)
You have hundreds of policies. How do you find the needle in the haystack?
Method 1: The “Grep” Method (Manual)
If you love the terminal, you can pull all your policies and search them textually. This is tedious but effective for a snapshot.
# Get all policy versions (Simplified logic) aws iam list-policies --scope Local --query 'Policies[*].Arn' |
xargs -I {} aws iam get-policy-version --policy-arn {} --version-id v1The problem: JSON is hard to read. A policy might look safe because the Statement array is split into ten different blocks, hiding the dangerous combination.
Method 2: The Visual Method (Recommended)
Humans process graphs faster than JSON. Instead of reading code, you should verify permissions visually.
A good visualizer will parse the Policy JSON and explode the wildcards, showing you exactly what is effectively allowed.
We built a privacy-first tool to solve this exact problem. Unlike other auditors that require you to upload your keys, our tool works client-side.
Paste your policy JSON into the IAM Policy Visualizer.
It instantly maps out the relationships, highlights Resource: * usage in red, and helps you spot unintended cross-account access.
4. Step-by-Step Remediation Guide
Once you find a wildcard, how do you remove it without breaking the application?
Step 1: Enable CloudTrail Logging
Before you remove a permission, you must know if it’s being used. Go to CloudTrail and search for the specific event name. If you see AccessDenied after removing a wildcard, you broke something.
Step 2: Use “Access Advisor”
In the AWS Console, the IAM User/Role tab has a section called Access Advisor. It shows you which services the user actually accessed in the last 90 days. If a user has s3:* but Access Advisor says they haven’t touched S3 in 30 days, you can safely remove the permission entirely.
Step 3: Replace Wildcards with Prefixes
You don’t always need to list every single file. Use prefixes to scope access without being overly specific.
- Bad: "Resource": "arn:aws:s3:::my-bucket/*"
- Better: "Resource": "arn:aws:s3:::my-bucket/users/${aws:username}/*"
This allows the user to do whatever they want, but only in their own folder.
5. Advanced: Conditional Keys
The strongest IAM policies don’t just limit Actions; they limit Conditions.
Even if you must grant AdministratorAccess to a developer, you can attach a condition that says “Only if MFA is enabled” or “Only from the corporate VPN IP.”
"Condition": { "IpAddress": { "aws:SourceIp": "203.0.113.0/24" } }Frequently Asked Questions
Is Action: * ever safe?
Almost never for a human user or an application role. The only exception might be a “Break Glass” role used strictly for emergency recovery, and even then, it should alert the security team when assumed.
What is the difference between `Resource: *` and a specific ARN?
`Resource: *` means the action applies to ALL resources in your account (and sometimes other accounts if cross-account access is configured). A specific ARN restricts the action to just that one database, bucket, or instance.
Does AWS have a native tool for this?
AWS offers the IAM Policy Simulator. It is a great tool for checking “Can user X do action Y?”, but it is less effective at high-level auditing or showing you “What else can user X do?” that you didn’t ask about.
How can I check IAM policies without uploading them?
This is a major security concern. Many online formatters send your data to a backend server. You should use client-side tools (like our IAM Visualizer) or run open-source CLI tools like Parliament or PMapper locally on your machine.
Conclusion: Visibility is Security
AWS IAM is complex by design. It gives you granular control, but that granularity creates complexity. The asterisk is a shortcut through that complexity, but it is a shortcut that leads to data breaches.
Don’t trust your eyes to parse 500 lines of JSON. Use visualization tools, check CloudTrail logs, and aggressively prune permissions that haven’t been used in 90 days. Your future self (and your legal team) will thank you.
Modifying AWS IAM policies or security configurations carries significant risk. A misconfiguration can lock you out of your account or expose sensitive data. The advice in this guide is general and may not fit your specific compliance requirements. Toolshref.com accepts no liability for security breaches or service disruptions. Proceed with caution and consult your organization’s security team.