- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This rule ensures that none of your IAM roles have highly-privileged policies or administrative policies attached to them and a trust policy which includes a wildcard as a Principal
. It is possible to specify a wildcard principal which permits any principal, including those outside your AWS organization, the ability to assume the role. It is strongly discouraged to use the wildcard principal in a trust policy unless there is a Condition element to restrict access.
An IAM role with highly privileged or administrative permissions can access all AWS services and resources in the account. A role with these privileges could potentially, whether unknowingly or purposefully, cause security issues or data leaks. Roles with this level of access may also be targeted by an adversary to compromise the entire AWS account. When a role has a trust relationship with a wildcard Principal
, this means that any AWS account (including those outside your AWS organization) can assume that role.
Datadog recommends reducing the permissions attached to an IAM role to the minimum required for it to fulfill its function. You can use AWS Access Advisor to identify effective permissions used by your instances, and use AWS IAM Access Analyzer to generate an IAM policy based on past CloudTrail events.
Any role with a trust relationship involving a wildcard should be audited to ensure their validity and compliance with any security requirements set in place by your organization. In addition, the use of a Condition element is strongly encouraged.