Avoid Using 'Allow' and 'NotAction' Policies

IAM misconfigurations

Avoid Using ‘Allow’ and ‘NotAction’ Policies

Risk Level

Informational (4)

Platform(s)

Compliance Frameworks

Brazilian General Data Protection (LGPD)
CCPA
CPRA
Data Security Posture Management (DSPM) Best Practices
GDPR
ISO/IEC 27001
New Zealand Information Security Manual
NIST 800-171
NIST 800-53
Orca Best Practices
PDPA
UK Cyber Essentials

Description

Ensure that your Amazon IAM policies (inline and customer managed) do not use ""Effect"" : ""Allow"" in combination with ""NotAction"" element in order to follow security best practices and adhere to the principle of least privilege. ""NotAction"" is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction with ""Effect"" : ""Allow"" can result in a shorter policy by listing only a few actions that should not match, but the inappropriate use of the combination can make the policy too permissive, leading eventually to unauthorized access.

Recommended Mitigation

Prefer using more explicit policies that adhere to the principle of least privilege

Avoid Using ‘Allow’ and ‘NotAction’ Policies

Description

Need help?

CLOUD SECURITY PLATFORM

TECHNOLOGY ECOSYSTEM

By Solution

By Industry

COMPARISONS