← all rules
iac/cloudformation/cfn-iam-wildcard-action
IAM policy grants wildcard action
highCloudFormationiac-cloudformation
What it detects
A statement with `Action: "*"` (or `"<service>:*"`) grants every API call. Combined with a broad resource this is effectively admin and violates least privilege.
Remediation
Enumerate the specific actions the principal needs (e.g. `s3:GetObject`) instead of `*`.
How it runs
Run against YAML/JSON files that look like CloudFormation templates (AWSTemplateFormatVersion, or Resources + an AWS:: type). Line-based checks; the security-group rule tracks ingress-vs-egress context. Non-template YAML/JSON is skipped.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.