Terraform Trust Policy Wildcard Action
Description
Detects overly permissive trust policies in AWS IAM roles that use wildcard (*) actions. This represents a security risk since wildcards in IAM trust policies could allow unintended services or principals to assume the role, potentially leading to privilege escalation or unauthorized access.
Detection Strategy
• Scans Terraform configuration files for aws_iam_role resources
• Examines the assume role trust policy document within the IAM role
• Reports a vulnerability if the trust policy contains action statements with wildcards (*)
• Specifically focuses on the Action or actions field within the trust policy Statement blocks
Vulnerable code example
resource "aws_iam_role" "example_role" {
name = "vulnerable_role"
# Vulnerable: Overly permissive policy allows all actions on all resources
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{...✅ Secure code example
resource "aws_iam_role" "example_role" {
name = "secure_role"
# Secure: Explicit assume role policy with limited permissions
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.