← all rules

iac/iam/iam-azure-custom-role-wildcard

Azure custom role grants wildcard actions (*)

highCloud IAMiac-iam

What it detects

An Azure custom role definition with `"Actions": ["*"]` grants every control-plane operation in the assignable scope — effectively Owner-level management access.

Remediation

Enumerate the specific `Actions` the role needs (e.g. `Microsoft.Storage/storageAccounts/read`) instead of `"*"`.

How it runs

Run against JSON/YAML/source files. AWS IAM rules require a policy-document context (Statement + Effect); GCP primitive roles are matched anywhere. HCL is left to the Terraform layer.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.