IAM misconfigurations

Avoid Using ‘Allow’ and ‘NotAction’ Policies

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

Ensure that your Amazon IAM policies (inline and customer managed) do not use ""Effect"" : ""Allow"" in combination with ""NotAction"" element in order to follow security best practices and adhere to the principle of least privilege. ""NotAction"" is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction with ""Effect"" : ""Allow"" can result in a shorter policy by listing only a few actions that should not match, but the inappropriate use of the combination can make the policy too permissive, leading eventually to unauthorized access.
  • Recommended Mitigation

    Prefer using more explicit policies that adhere to the principle of least privilege