← all rules

iac/cloudformation/cfn-iam-wildcard-resource

IAM policy grants wildcard resource

mediumCloudFormationiac-cloudformation

What it detects

`Resource: "*"` applies a statement to every resource in the account. Paired with broad actions it removes any blast-radius boundary on the granted permissions.

Remediation

Scope the statement to specific ARNs instead of `*`.

How it runs

Run against YAML/JSON files that look like CloudFormation templates (AWSTemplateFormatVersion, or Resources + an AWS:: type). Line-based checks; the security-group rule tracks ingress-vs-egress context. Non-template YAML/JSON is skipped.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.