IAM policy grants all actions ("*")
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
An IAM statement allowing Action "*" grants every API operation the principal can reach, which defeats least privilege and turns any credential leak into full account access.
Why it matters
An IAM statement allowing Action "*" grants every API operation the principal can reach. That defeats least privilege, and it turns any leak of the attached credential into effective full control over whatever the resource clause permits. Wildcard actions are one of the most common overprivilege findings in cloud accounts.
How to fix it
Replace "*" with the explicit list of actions the workload actually calls, scoped to the services it uses. Start from CloudTrail or IAM Access Analyzer to see which actions are really needed. Grant the minimum set and add to it only as new operations become necessary.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo