include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Noncompliant Code Example

A customer managed policy that grants all permissions by using the wildcard (*) in the ``++Action++`` property:

----
resource "aws_iam_policy" "noncompliantpolicy" {
  name        = "noncompliantpolicy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "*" # Sensitive
        ]
        Effect   = "Allow"
        Resource = [
          aws_s3_bucket.mybucket.arn
        ]
      }
    ]
  })
}
----

== Compliant Solution

A customer managed policy that lists and grants only the required permissions:

----
resource "aws_iam_policy" "compliantpolicy" {
  name        = "compliantpolicy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:GetObject" 
        ]
        Effect   = "Allow"
        Resource = [
          aws_s3_bucket.mybucket.arn
        ]
      }
    ]
  })
}
----

include::../see.adoc[]