---
title: IAM policies with full privileges
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > IAM policies with full privileges
---

# IAM policies with full privileges

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `e401d614-8026-4f4b-9af9-75d1197461ba`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/iam_managed_policy_module.html)

### Description{% #description %}

IAM policies must not grant full administrative privileges (Allow for all actions on all resources). Such statements enable privilege escalation and allow any principal with the policy to access, modify, or delete resources account-wide. For Ansible managed policy resources (modules `amazon.aws.iam_managed_policy` and `iam_managed_policy`), inspect the `policy` document's `Statement` entries. Ensure no `Statement` has `Effect: Allow` where `Action` is `"*"` and `Resource` is `"*"`. Define explicit action lists and restrict `Resource` to specific ARNs, or use condition keys to enforce least privilege. If full admin rights are truly required, attach AWS-managed administrative policies only to trusted admin roles or groups. Statements matching `Effect` set to `Allow` with both `Action` set to `'*'` and `Resource` set to `'*'` are flagged.

Secure example with explicit actions and narrowed resources:

```yaml
- name: Create limited S3 read policy
  amazon.aws.iam_managed_policy:
    name: ReadOnlyS3Policy
    policy:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action:
            - s3:ListBucket
            - s3:GetObject
          Resource:
            - arn:aws:s3:::my-bucket
            - arn:aws:s3:::my-bucket/*
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create IAM Managed Policy
  amazon.aws.iam_managed_policy:
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Create IAM Managed Policy
  amazon.aws.iam_managed_policy:
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: ["*"]
        Resource: "*"
    make_default: false
    state: present
```