---
title: IAM policy grants 'AssumeRole' permission across all services
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > IAM policy grants 'AssumeRole' permission
  across all services
---

# IAM policy grants 'AssumeRole' permission across all services

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-iam-policy-grants-assumerole-permission-across-all-services` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/iam_managed_policy_module.html)

### Description{% #description %}

Policy statements that use a wildcard principal (`*`) with `Effect` set to `Allow` grant trust or permissions to any AWS principal. This can enable unauthorized accounts or external services to assume roles or perform actions, increasing the risk of privilege escalation and data exposure.

In Ansible resources `amazon.aws.iam_managed_policy` and `iam_managed_policy`, check the `policy.Statement[].Effect` and `policy.Statement[].Principal.AWS` properties. Statements must not have an `Allow` effect combined with `Principal.AWS` equal to or containing `"*"`. This rule flags managed policy resources where any statement authorizes `"*"` as a principal. Replace wildcards with explicit principals such as AWS account IDs, ARNs, or specific service principals to limit trust to known entities.

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create IAM Managed Policy
  amazon.aws.iam_managed_policy:
    name: my-iam-policy
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Create IAM Managed Policy
  amazon.aws.iam_managed_policy:
    name: my-iam-policy
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "logs:CreateLogGroup"
        Resource: "*"
        Principal:
          Service: "ec2.amazonaws.com"
          AWS: "*"
    make_default: false
    state: present
```