Json Principal Wildcard All Principals

Description

Detects the use of wildcards (*) in principal fields of access control policies, which grants permissions to all principals/users. This overly permissive configuration creates a security risk by allowing unrestricted access instead of limiting it to specific authorized principals.

Weakness:

325 - Excessive privileges - Wildcards

Category: Access Subversion

Detection Strategy

• Look for policy definitions or configurations in JSON/IAM formats

• Check for principal fields within these policies

• Identify if wildcards (*) or similarly permissive patterns are used to specify principals

• Consider the context - wildcards in principal fields of resource policies are flagged as vulnerable

• Report a vulnerability when a wildcard is found allowing all principals access

Vulnerable code example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",     // Vulnerable: Allows unrestricted access from any AWS account or user
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::example-bucket/*"]...

✅ Secure code example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictedS3Access",  // Add statement ID for better policy management
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/specific-reader-role"  // Restrict to specific IAM role...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.