← all rules

iac/iam/iam-aws-public-principal

AWS IAM policy trusts any principal (*)

highCloud IAMiac-iam

What it detects

A `"Principal": "*"` (or `{"AWS": "*"}`) in a resource/trust policy lets ANY AWS account assume the role or access the resource. This is a frequent cause of public S3 buckets and confused-deputy role assumption.

Remediation

Restrict the principal to specific account IDs / role ARNs, and add a `Condition` (e.g. `aws:SourceArn`).

How it runs

Run against JSON/YAML/source files. AWS IAM rules require a policy-document context (Statement + Effect); GCP primitive roles are matched anywhere. HCL is left to the Terraform layer.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.