Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
Policy statements that use a wildcard principal (*) with Effect set to Allow grant trust or permissions to any AWS principal. This can enable unauthorized accounts or external services to assume roles or perform actions, increasing the risk of privilege escalation and data exposure.
In Ansible resources amazon.aws.iam_managed_policy and iam_managed_policy, check the policy.Statement[].Effect and policy.Statement[].Principal.AWS properties. Statements must not have an Allow effect combined with Principal.AWS equal to or containing "*". This rule flags managed policy resources where any statement authorizes "*" as a principal. Replace wildcards with explicit principals such as AWS account IDs, ARNs, or specific service principals to limit trust to known entities.
Compliant Code Examples
- name:Create IAM Managed Policyamazon.aws.iam_managed_policy:name:my-iam-policypolicy_name:ManagedPolicypolicy:Version:'2012-10-17'Statement:- Effect:AllowAction:logs:CreateLogGroupResource:'*'make_default:falsestate:present
Non-Compliant Code Examples
- name:Create IAM Managed Policyamazon.aws.iam_managed_policy:name:my-iam-policypolicy_name:"ManagedPolicy"policy:Version:"2012-10-17"Statement:- Effect:"Allow"Action:"logs:CreateLogGroup"Resource:"*"Principal:Service:"ec2.amazonaws.com"AWS:"*"make_default:falsestate:present
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Commencer avec Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
