Compliance

Harden resource and service-role policies

One capability across IAM, CloudFormation and EventBridge: make sure the policies that grant permissions and govern shared resources are scoped on purpose, so a leak or a mistake cannot reach the whole account.

13 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: CloudFormation.4 EventBridge.3 IAM.1

Hardening policies: the basics

What does it mean for a policy to be scoped on purpose?

Policies are where AWS decides who can do what. This capability is about three places that policy goes wrong by default or by habit: an IAM policy that allows every action on every resource, a CloudFormation stack that deploys with the deployer's broad credentials instead of a scoped service role, and an EventBridge custom bus with no resource-based policy governing who may publish to it. Different services, different policy types, one theme: permissions granted broadly because it was faster, or left implicit because nobody decided, when they should be deliberate and minimal.

AWS Security Hub turns each of these into its own control. IAM.1 fails any customer-managed policy whose default version allows Action * on Resource *. CloudFormation.4 fails a stack with no RoleARN, meaning it runs with whatever identity triggered the deploy. EventBridge.3 fails a custom event bus that has no resource-based policy attached, leaving access governed only by callers' IAM. They read as separate findings, but they are one capability: scope the grant to exactly what is needed, and write down who is allowed in.

These almost never reflect what the principal or resource actually needs. A full-admin policy is usually AdministratorAccess copied into a custom policy to unblock a deploy; a roleless stack inherits a CI role with iam:* because nobody attached a scoped one; an unpolicied bus is a default-allow-within-the-account that nobody decided. The job is to find every over-broad or implicit grant, derive what is genuinely required, replace the grant with a scoped one, and put a guardrail so the broad path requires a deliberate, reviewed exception.

In this lesson you will learn how AWS expresses over-broad and implicit grants across IAM, CloudFormation and EventBridge, how to find every one in an account, and how to scope them down without breaking the deploys, principals or integrations that depend on them. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The weekend an admin key cost five figures

A startup committed an IAM access key to a public repository on a Friday afternoon. The key belonged to a service account whose custom policy granted Action * on Resource *, written that way months earlier to just make the CI pipeline work. Automated scanners that crawl repositories for AWS keys found it within minutes, and by Monday the attacker had launched hundreds of GPU instances across every Region to mine cryptocurrency, running up a five-figure bill before the billing alarm fired. A scoped policy granting only the dozen actions the pipeline actually used would have made the same leaked key nearly worthless: the attacker could have pushed to one repository and nothing else.

Finding over-broad and implicit grants across an estate

Devon runs cloud security at a Series B company. Security Hub shows policy-hardening failures across IAM, CloudFormation and EventBridge, and the most dangerous is an IAM.1 finding on a customer-managed policy attached to the role the CI pipeline assumes on every merge.

Rather than work the findings one by one, he starts with the over-broad grant most likely to leak, the CI deploy policy, by reading its default version to confirm the allow-all statement before he derives a scoped replacement.

Read the default version of the suspect customer-managed policy. An allow-all-actions-on-all-resources statement is exactly the IAM.1 failure.

$ aws iam get-policy-version --policy-arn arn:aws:iam::111122223333:policy/ci-deploy-policy --version-id v3 --query 'PolicyVersion.Document' --output json

{

"Statement": [{

"Effect": "Allow",

"Action": "*",

"Resource": "*"

}]

}

# Action:* on Resource:* on a CI role is the IAM.1 failure and the highest leak risk.

A wildcard action on a wildcard resource is the worst case. Derive the real footprint before replacing it so the deploy keeps working.

How AWS evaluates these policiesdeep dive

Each control checks a different policy surface. IAM.1, backed by the Config rule iam-policy-no-statements-with-admin-access, inspects only the default version of customer-managed policies and fails on a statement with Effect Allow, Action *, and Resource *. It deliberately ignores inline policies, AWS-managed policies and permission boundaries, so a full-admin grant can hide inline and still pass; audit those separately. CloudFormation.4 fails a stack whose RoleARN is null, because without a service role the stack inherits the deployer's identity for every API call it makes. EventBridge.3 fails a custom event bus with no resource-based policy, which is a default-allow within the account, not a locked door.

Scoping correctly means deriving the real need, not guessing. IAM Access Analyzer can generate a least-privilege policy from a role's CloudTrail history, and the service-last-accessed details show which services a principal has actually used; together they turn replace the wildcard from a risky guess into a data-backed exercise. A CloudFormation service role's trust policy must name cloudformation.amazonaws.com and only that, so no human or other service can assume it; its permissions policy then becomes the stack's exact blast radius. An event-bus policy should scope to a specific principal, the bus ARN, and conditions like aws:PrincipalOrgID rather than a bare wildcard.

The durable version of this capability is preventive. Replace the over-broad grant as a new policy version, verify, then delete the old one, but back it with guardrails: a permission boundary that caps what roles can grant, a Service Control Policy that denies creating full-admin policies or denies roleless CreateStack in production, an IaC default that attaches a bus policy at creation. Detective controls catch drift; the guardrails stop the broad or implicit grant shipping in the first place.

What is the impact of leaving these policies broad?

The direct impact is blast radius. A credential carrying Action * on Resource * can read or delete every resource, create new admin users for persistence and disable the logging that would reveal it; once it leaks, the worst case and the actual case are the same. A stack deploying with the deployer's broad credentials means a poisoned template or a hijacked CI runner can do anything the deployer could, including creating back-door admin access. An unpolicied event bus accepts events from any same-account principal, so an unexpected publisher can set off real workflows on input you never intended to accept.

The second-order impact is auditability. With a scoped service role, every API call CloudFormation makes is attributed to a named role in CloudTrail; without one, a pipeline deploy is indistinguishable from the human whose role it borrowed, and forensics gets significantly harder. The same logic runs through the capability: a policy with a named principal implies a named owner who made a deliberate decision, while a wildcard or a null policy implies nobody owns the access question.

On the compliance side, least privilege is an explicit requirement in CIS, PCI DSS and NIST 800-53, and these controls are direct evidence of whether it holds. A standing failure shows up in audit evidence and customer security questionnaires and can stall a SOC 2 report, a PCI attestation or an enterprise deal whose close is gated on the prospect's security review. The fix is cheap; the deal delay or audit remediation from an open finding is not.

How do you harden these policies safely?

Work the capability as one loop rather than chasing individual findings. The order matters: derive the real need before you replace a grant, and verify before you delete the old one, so you do not break a deploy or a live integration.

1. Inventory the over-broad and implicit grants

Enumerate customer-managed policies whose default version is Action * on Resource *, CloudFormation stacks with a null RoleARN, and custom event buses with no resource-based policy. Rank by leak risk and blast radius: full-admin policies on CI, third-party or source-control-touching roles first, then IAM-managing and production roleless stacks, then unpolicied buses. Remember IAM.1 ignores inline grants, so audit those separately.

2. Derive what each grant actually needs

Do not guess the scope. Use IAM Access Analyzer policy generation against a principal's CloudTrail history and the service-last-accessed details to find the real footprint, usually a small set of actions on named resources. For a stack, read the template and map each resource type to its minimum permissions. For an event bus, answer who is supposed to publish, a specific account, an Organization, same-account services only, before writing anything; a bus nobody can answer for is an ownership problem, not a policy one.

3. Replace the grant, verify, then remove the old one

Create the scoped IAM policy as a new default version while keeping the old one as rollback, attach a scoped service role to the stack with update-stack --use-previous-template so there is no resource churn, and attach a least-privilege bus policy with put-permission. Exercise the principal, deploy or integration end-to-end, then delete the old wildcard version once it is confirmed working. Deleting prematurely risks an outage; leaving the old version risks someone reverting to it.

4. Prevent it shipping again

Closing existing grants is one-off; stopping new ones is the durable fix. Use a permission boundary to cap what roles can grant, a Service Control Policy to deny full-admin policy creation and roleless CreateStack or UpdateStack in production, and IaC defaults that attach a service role per stack and a resource policy per bus at creation. Keep the relevant AWS Config rules enabled. The goal is that a broad or implicit grant requires a deliberate, reviewed exception, never an accidental copy-paste.

# Replace a full-admin policy with a scoped version (keep the old one as rollback, then delete).
aws iam create-policy-version \
  --policy-arn arn:aws:iam::111122223333:policy/ci-deploy-policy \
  --policy-document file://ci-deploy-scoped.json --set-as-default
# ... verify a staging and a prod run, then ...
aws iam delete-policy-version \
  --policy-arn arn:aws:iam::111122223333:policy/ci-deploy-policy --version-id v3

# Attach a scoped service role to a CloudFormation stack with no resource churn.
aws cloudformation update-stack --stack-name payments-iam-prod \
  --use-previous-template \
  --role-arn arn:aws:iam::111122223333:role/cfn-payments-iam-deployer \
  --capabilities CAPABILITY_NAMED_IAM

# Attach a least-privilege resource policy to a custom event bus (one named account).
aws events put-permission --event-bus-name orders-bus \
  --statement-id AllowPartner444455556666 --action events:PutEvents --principal 444455556666

Quick quiz

Question 1 of 5

Security Hub shows policy failures across IAM.1, CloudFormation.4 and EventBridge.3. What is the most efficient way to think about them?

Keep learning

Go deeper on least privilege and the policy surfaces this capability hardens.

You can now treat policy hardening as one capability rather than a scatter of findings: inventory the over-broad and implicit grants across IAM, CloudFormation and EventBridge, derive what each one actually needs, replace and verify before deleting the old grant, and enforce least privilege at creation with permission boundaries, Service Control Policies and IaC defaults. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Hardening policies: the cost and risk view

A near-zero-cost capability that bounds the blast radius of a leak or a mistake

Every control in this group costs nothing in AWS spend to fix. Scoping a full-admin policy, attaching a service role to a stack, or adding a resource policy to an event bus are configuration changes, not paid features. The financial relevance is entirely on the risk side: these grants are the precondition for turning one leaked credential, one bad commit or one poisoned template into an account-wide incident.

The most concrete cost scenario is a leaked over-privileged credential. Automated bots crawl public code repositories for AWS keys continuously, and a leaked key with full admin is typically used to launch large compute fleets across every Region for cryptocurrency mining, generating five-figure bills within hours. A scoped policy makes the same leaked key nearly worthless. The same shape applies to a roleless deploy pipeline: a compromise inherits the deployer's full reach rather than a stack's narrow footprint.

Frame each finding by leak risk. A full-admin policy attached to a CI role that touches source control is the urgent one, because those are the credentials that actually leak; a documented break-glass admin role is a justified residual. These controls also map to PCI DSS, CIS and NIST least-privilege requirements, so an open finding surfaces in a SOC 2 exception or a customer security review and can stall a deal, a budget event finance owns even though the finding never hits the cloud invoice.

This lesson is for the finance partner who sees IAM and policy findings on the security report and wants to know which ones actually matter to the business and what they cost. It covers why these fixes are free, how an over-broad grant connects to runaway-bill and audit exposure, and how to prioritise by leak risk while accepting a justified residual.

Fun fact

The weekend an admin key cost five figures

How a finance partner frames the over-broad grant findings

Devon brings the Security Hub policy-hardening export to his finance partner at the Series B company. The instinct in the room is to size a remediation budget, and the answer reframes the conversation immediately: scoping a full-admin policy, attaching a service role to a CloudFormation stack, or adding a resource policy to an event bus are configuration changes, not paid features. None of them shows up on the AWS bill. So this is not a spend item at all, it is a tail-risk item, and the finance question is which of these grants is the precondition for turning one leaked credential into an account-wide incident.

The way Devon's partner sizes it is by leak risk, not by finding count. The IAM.1 full-admin policy attached to the CI role that runs on every merge is the urgent one, because CI credentials are exactly the kind that get committed to a public repository and found by automated scanners within minutes, with a five-figure cryptomining bill arriving before the billing alarm fires. A documented break-glass admin role used by two named people is a justified residual the partner can accept. She ranks the findings by what actually leaks, gives the source-control-touching and IAM-managing roles committed dates, and funds the permission boundary and SCP guardrail so the wildcard grant cannot reappear one ticket at a time.

Why broad policies belong on the risk register

The cost model here is asymmetric. There is no recurring line item for an over-broad policy; its cost is zero until the day it is not, and then it is potentially enormous. The expected-value framing is the right one: a small ongoing probability of a leaked or compromised credential, multiplied by a very large impact, account-wide compromise, runaway bills, breach response and regulatory exposure.

The most concrete financial scenario is runaway compute from a leaked over-privileged key, documented at five figures in hours, because the leaked credential could spin up any resource at any scale. The same shape applies to a roleless deploy pipeline whose compromise inherits the deployer's full reach. Cleaning these up is buying down tail risk at near-zero cost.

There is also a real audit-and-deals dimension. These controls map to PCI, CIS and NIST least-privilege requirements, so an open finding surfaces in a SOC 2 exception or a customer security review and can stall a contract; deal slippage and audit remediation are budget events even though the finding never appears on the cloud bill. The finance role is to make remediation a tracked, owned, time-boxed commitment, prioritise by leak risk, and watch the trend, accepting a small justified residual rather than demanding an unrealistic zero.

What finance can do about the over-broad grant gap

Finance cannot write the scoped policy, but it can set the framing that turns a scatter of IAM, CloudFormation and EventBridge findings into a governed, risk-ordered plan and a bought-down tail risk. Three levers.

1. Cost the gap as tail risk, not a line item

There is no recurring charge for an over-broad policy; its cost is zero until the day it is not, and then it is potentially enormous. The expected-value framing is the right one: a small ongoing probability of a leaked or compromised credential multiplied by a very large impact, account-wide compromise, a documented five-figure cryptomining bill in hours, breach response and regulatory exposure. Cleaning these up is buying down that tail at near-zero AWS cost, which makes the remediation an easy approval that needs no budget line.

2. Prioritise by leak risk, and accept a justified residual

The raw finding count is misleading because the danger is concentrated. Full-admin policies on CI, third-party or source-control-touching roles are the credentials that actually leak and belong at the top of the order; IAM-managing and production roleless stacks come next, then unpolicied buses. A documented break-glass admin role is a justified residual, not a failure to chase. The finance move is to push for a small justified residual rather than an unrealistic zero, and to make remediation a tracked, owned, time-boxed commitment.

3. Fund the guardrail and watch the trend, not just the count

These controls map to PCI DSS, CIS and NIST least-privilege requirements, so an open finding surfaces in a SOC 2 exception or a customer security review and can stall a contract, a deal-slippage cost finance owns even though it never hits the cloud invoice. The durable move is to fund the permission boundaries, Service Control Policies and IaC defaults that stop a broad or implicit grant shipping in the first place, then track the trend of the count. A rising count is the leading indicator that the upstream discipline has slipped.

Quick quiz

Question 1 of 5

What is the direct AWS spend impact of scoping a full-admin policy, attaching a service role to a stack, or adding a resource policy to an event bus?

Keep learning

Go deeper on least privilege and the policy surfaces this capability hardens.

You have finished the finance view of policy hardening. You know there is no AWS spend to fix these grants, that their cost is tail risk, a leaked over-privileged credential running up a five-figure bill in hours, and that an open finding maps to PCI, CIS and NIST least-privilege requirements and can stall a SOC 2 report or a deal. Next time the IAM, CloudFormation and EventBridge findings appear, you will cost them as expected-value tail risk, prioritise by leak risk while accepting a justified residual, and fund the guardrail that stops the wildcard grant coming back.

Back to the library

Hardening policies: the headline

Whether broad and implicit permissions are the exception or the default

These findings are about the difference between trust and policy. A credential that can do anything, a deploy pipeline that borrows admin, an event bus that anyone in the account can publish to: each turns a routine leak or a bad change into a whole-account event rather than a contained one. The report shows them as a scatter of separate findings.

The leadership question is not the count; it is whether broad access is the exception, granted deliberately and owned, or the default that nobody narrowed. The defensible end state is a small, justified set of broad grants, with everything else scoped tight and the broad path requiring explicit sign-off, enforced by a guardrail rather than a guideline.

None of this is a cost decision; the fixes are free. It is a governance decision about whether permissions are granted on purpose or handed out broadly because it was faster.

A short read for the leader who needs to know why over-broad and implicit permissions turn a routine leak into a major incident, why closing them is a governance decision rather than a budget one, and what a defensible end state looks like: broad access is the deliberate exception, everything else is scoped, and a guardrail enforces it.

Fun fact

The weekend an admin key cost five figures

What it looks like when broad access is the exception, not the default

After a customer security questionnaire asked the company to attest that automation never runs with full admin, the executive team stopped treating the IAM, CloudFormation and EventBridge findings as separate engineering tickets. A credential that can do anything, a deploy pipeline that borrows admin, an event bus anyone in the account can publish to: these were not a dozen problems but one question the company could not answer cleanly. Broad access granted on purpose and owned is a control the business can attest to. Broad access nobody narrowed is an assumption written on an audit finding.

Leadership set the end state rather than the implementation: a small, justified set of broad grants, everything else scoped tight, and the broad path requiring explicit sign-off enforced by a guardrail rather than a guideline. Because the fix is free, this was never a budget decision. Because the downside spans breach risk, runaway cost and revenue risk at once, it was one of the rare items a CFO, a CISO and a head of sales all cared about, and the decision they made was simply whether permissions are granted deliberately or handed out broadly because it was faster.

Why this is a board-level risk

These are the access findings most likely to turn an ordinary credential leak or a routine deploy into a serious incident. A small, stable, well-justified set means access discipline is working; a growing count means broad and implicit permissions are being handed out by default, and the same pattern is almost certainly present in the access you cannot see on one dashboard.

Because the fix is free and the downside spans breach risk, runaway cost and revenue risk at once, this is one of the rare items a CFO, a CISO and a head of sales should all care about. The leadership move is to make broad access a deliberate exception, keep automation away from full admin and roleless deploys, and back the standard with a guardrail so the broad or implicit grant cannot reappear one ticket at a time.

The leadership move on policy hardening

The executive handle is not to approve each policy change, it is to make broad access a deliberate, owned exception and back the standard with a guardrail so the broad or implicit grant cannot reappear one ticket at a time.

1. Set a deadline for the highest-leak grants

The fix is free and standard but it drifts without pressure, because scoping a wildcard policy or attaching a service role always loses to feature work when nobody is asking. Give the full-admin grants on CI, source-control and IAM-managing roles a committed date to be scoped and verified, and ask to see that date met. This is where leadership insistence changes the outcome, since the engineering is not hard, only unscheduled, and these are precisely the credentials that turn a routine leak into a serious incident.

2. Keep automation away from full admin and roleless deploys by default

Make least privilege the default position for every CI role, service account and CloudFormation stack, enforced in shared modules and a Service Control Policy rather than remembered per change. The right end state is that a pipeline cannot run with full admin and a stack cannot deploy without a scoped service role, so the findings can only appear for a known list of legacy grants being scoped, never for something new.

3. Treat any broad grant as a recorded exception with a named owner

A grant intentionally left broad, a documented break-glass admin role for example, should carry a governance-visible reason and a named owner, not a silently suppressed finding. A policy with a named principal implies someone made a deliberate decision; a wildcard or a null policy implies nobody owns the access question. Ask for the exception list and who owns each one, not just the pass rate.

Quick quiz

Question 1 of 5

What is the right leadership question about over-broad and implicit permissions?

Keep learning

Go deeper on least privilege and the policy surfaces this capability hardens.

Two takeaways: an over-broad or implicit grant is what turns a routine leak or deploy into an account-wide incident, and the fix is free but drifts without a deadline and a guardrail. The leadership outcome is the highest-leak grants scoped on a committed schedule, automation kept away from full admin and roleless deploys by default, and every remaining broad grant a recorded, owned exception. The question to ask is not how much will this cost, it is whether broad access is the deliberate exception or the default nobody narrowed.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Harden resource and service-role policies

Hardening policies: the basics

The weekend an admin key cost five figures

Finding over-broad and implicit grants across an estate

How AWS evaluates these policiesdeep dive

What is the impact of leaving these policies broad?

How do you harden these policies safely?

1. Inventory the over-broad and implicit grants

2. Derive what each grant actually needs

3. Replace the grant, verify, then remove the old one

4. Prevent it shipping again

Quick quiz

Keep learning

Hardening policies: the cost and risk view

The weekend an admin key cost five figures

How a finance partner frames the over-broad grant findings

Why broad policies belong on the risk register

What finance can do about the over-broad grant gap

1. Cost the gap as tail risk, not a line item

2. Prioritise by leak risk, and accept a justified residual

3. Fund the guardrail and watch the trend, not just the count

Quick quiz

Keep learning

Hardening policies: the headline

The weekend an admin key cost five figures

What it looks like when broad access is the exception, not the default

Why this is a board-level risk

The leadership move on policy hardening

1. Set a deadline for the highest-leak grants

2. Keep automation away from full admin and roleless deploys by default

3. Treat any broad grant as a recorded exception with a named owner

Quick quiz

Keep learning

Controls this lesson covers

CloudFormation

EventBridge

IAM

Related compliance lessons