Identify which policies grant Action "*" on Resource "*" (Access Analyzer and the IAM console policy view both flag these). Replace the wildcard with the specific services and actions each principal actually uses — start from CloudTrail/Access Analyzer last-accessed data. Reserve broad access for a small number of break-glass roles protected by MFA and session logging, not for everyday identities.

Compliance High severity

AWS Security Hub · IAM

IAM.1: A policy grants full "*" administrative privileges

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub IAM.1 check?

IAM.1 inspects your customer-managed IAM policies and fails any whose statements allow "Action": "*" on "Resource": "*" with Effect Allow. In other words, a policy that grants full administrative access to everything.

Why does IAM.1 matter?

A wildcard-admin policy attached to a user, role, or — worst of all — a machine identity collapses every other guardrail you have. One leaked key or one compromised workload with that policy can read every bucket, delete every database, and create new backdoor identities. Least privilege only works if no single policy re-grants everything.

How do I fix IAM.1?

Identify which policies grant Action "*" on Resource "*" (Access Analyzer and the IAM console policy view both flag these).
Replace the wildcard with the specific services and actions each principal actually uses — start from CloudTrail/Access Analyzer last-accessed data.
Reserve broad access for a small number of break-glass roles protected by MFA and session logging, not for everyday identities.

Remediation script · bash

# Replace a full-admin policy with a scoped version (keep the old one as rollback, then delete).
aws iam create-policy-version \
  --policy-arn arn:aws:iam::111122223333:policy/ci-deploy-policy \
  --policy-document file://ci-deploy-scoped.json --set-as-default
# ... verify a staging and a prod run, then ...
aws iam delete-policy-version \
  --policy-arn arn:aws:iam::111122223333:policy/ci-deploy-policy --version-id v3

# Attach a scoped service role to a CloudFormation stack with no resource churn.
aws cloudformation update-stack --stack-name payments-iam-prod \
  --use-previous-template \
  --role-arn arn:aws:iam::111122223333:role/cfn-payments-iam-deployer \
  --capabilities CAPABILITY_NAMED_IAM

# Attach a least-privilege resource policy to a custom event bus (one named account).
aws events put-permission --event-bus-name orders-bus \
  --statement-id AllowPartner444455556666 --action events:PutEvents --principal 444455556666

Full walkthrough (console steps, edge cases and verification) in the lesson Harden resource and service-role policies.

Is IAM.1 a false positive?

AWS-managed policies like AdministratorAccess are excluded — IAM.1 only evaluates customer-managed policies, so you cannot "fix" it by detaching AdministratorAccess; you must remediate your own policy documents.

Full lesson Harden resource and service-role policies Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for IAM controls ↗ Check your own account for IAM.1 →

Part of the learning path Lock down access

IAM.2 Policies attached directly to users do not scale or audit cleanly
IAM.3 Long-lived access keys have not been rotated
IAM.4 The root user still has long-lived access keys
IAM.5 Console users without MFA are one phish from compromise
IAM.6 The root user is not protected by hardware MFA
IAM.7 The IAM password policy is too weak
IAM.8 Unused IAM keys and passwords are waiting to be leaked
IAM.9 The root user can sign in without MFA
IAM.10 IAM user password policies should be strong (PCI DSS)
IAM.19 MFA should be enabled for all IAM users
IAM.21 Wildcard permissions grant far more access than intended
IAM.22 IAM credentials unused for 45 days should be removed