---
title: IAM role allows all principals to assume
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > IAM role allows all principals to assume
---

# IAM role allows all principals to assume

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-iam-role-allows-all-principals-to-assume` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/iam_managed_policy_module.html)

### Description{% #description %}

Specifying the account root or an entire AWS account as a principal (ARNs that end with `:root`) grants every identity in that account the ability to assume the role or act as that principal. This increases the risk of privilege escalation, lateral movement, and unauthorized access if any identity is compromised.

This rule checks Ansible tasks using the `amazon.aws.iam_managed_policy` or `iam_managed_policy` modules and flags policy statements where `policy.Statement[].Principal.AWS` contains `:root`. Principal values must be explicit and least-privileged — use specific IAM role or user ARNs or service principals instead of account-root ARNs (or wildcards). Resources with `Principal.AWS` containing `:root` are flagged.

Secure example with an explicit principal:

```json
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/SpecificRole"
      },
      "Action": "sts:AssumeRole"
    }
  ],
  "Version": "2012-10-17"
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create IAM Managed Policy
  amazon.aws.iam_managed_policy:
    name: my-iam-policy
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Create IAM Managed Policy
  amazon.aws.iam_managed_policy:
    name: my-iam-policy
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "logs:CreateLogGroup"
        Resource: "*"
        Principal:
          AWS: "arn:aws:iam::root"
    make_default: false
    state: present
- name: Create2 IAM Managed Policy
  amazon.aws.iam_managed_policy:
    name: my-iam-policy2
    policy_name: "ManagedPolicy2"
    policy: >
      {
        "Version": "2012-10-17",
        "Statement":[{
          "Effect": "Allow",
          "Action": "logs:PutRetentionPolicy",
          "Resource": "*",
          "Principal" : { "AWS" : "arn:aws:iam::root" }
        }]
      }
    only_version: true
    state: present
```