Detections
Analytics

2.21 Ensure AWS resource policies do not allow unrestricted access using "Principal": "*"

Information

Ensure AWS resource-based policies, such as Amazon S3 bucket policies, Amazon SQS queue policies, Amazon SNS topic policies, and AWS Lambda resource policies, do not grant unrestricted access using "Principal": "*" with "Effect": "Allow" unless the policy includes restrictive conditions that limit access to specific trusted identities, accounts, services, or network boundaries.

Resource-based policies are evaluated alongside identity-based IAM policies during authorization decisions. When a policy statement specifies "Principal": "*" with "Effect": "Allow", it grants the specified permissions to any AWS principal unless additional conditions restrict the request. This may unintentionally allow access from users, roles, or services in any AWS account. Such broad access significantly increases the risk of unauthorized data access, resource abuse, or data exfiltration.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If a resource policy contains "Principal": "*" with "Effect": "Allow" and lacks sufficient restrictions, modify the policy to limit access.

OPTION 1 - Restrict the PrincipalReplace the wildcard principal ("Principal": "*") with a specific account, role, user, or service.

Example: Non-Compliant Policy

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "AllowPublicAccess",
 "Effect": "Allow",
 "Principal": "*",
 "Action": "sqs:SendMessage",
 "Resource": "arn:aws:sqs:us-east-1:123456789012:my-queue"
 }
 ]
}

Steps:

 - Retrieve the current policy:

aws sqs get-queue-attributes \\
 --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/my-queue \\
 --attribute-names Policy \\
 --query 'Attributes.Policy'
 - Update the policy with a specific principal:

aws sqs set-queue-attributes \\
 --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/my-queue \\
 --attributes '{
 "Policy": "{\\"Version\\":\\"2012-10-17\\",\\"Statement\\":[{\\"Sid\\":\\"AllowSpecificAccount\\",\\"Effect\\":\\"Allow\\",\\"Principal\\":{\\"AWS\\":\\"arn:aws:iam::345678901234:root\\"},\\"Action\\":\\"sqs:SendMessage\\",\\"Resource\\":\\"arn:aws:sqs:us-east-1:123456789012:my-queue\\"}]}"
 }'

Resulting Compliant Policy:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "AllowSpecificAccount",
 "Effect": "Allow",
 "Principal": {
 "AWS": "arn:aws:iam::345678901234:root"
 },
 "Action": "sqs:SendMessage",
 "Resource": "arn:aws:sqs:us-east-1:123456789012:my-queue"
 }
 ]
}

OPTION 2 - Restrict Using ConditionsIf a wildcard principal is required, add restrictive conditions.

Example compliant policy:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "AllowServiceIntegration",
 "Effect": "Allow",
 "Principal": "*",
 "Action": "sqs:SendMessage",
 "Resource": "arn:aws:sqs:us-east-1:123456789012:my-queue",
 "Condition": {
 "StringEquals": {
 "aws:SourceAccount": "345678901234"
 }
 }
 }
 ]
}

Impact:

Unrestricted resource-based policies may expose data or services to unauthorized access, potentially leading to data breaches, service misuse, or unintended public exposure.

See Also

https://workbench.cisecurity.org/benchmarks/24575

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), 800-53|MP-2

Plugin: amazon_aws

Control ID: f9dcd1bc7fe203c7495d84200eb8cd89b5e7fc224fb7425d356318aa383fea3f