AWS Security ChangesHomeSearch

AWS IAM high security documentation change

Service: IAM · 2025-07-16 · Security-related high

File: IAM/latest/UserGuide/reference-arns.md

Summary

Added warning about automatic wildcard expansion in incomplete ARNs for identity-based policies

Security assessment

The change addresses a security-relevant configuration pitfall by warning users that incomplete ARNs expand to wildcards, which could lead to accidental over-permissioning. This directly documents a security consideration for policy authors to prevent unintended access.

Diff

diff --git a/IAM/latest/UserGuide/reference-arns.md b/IAM/latest/UserGuide/reference-arns.md
index 9daa743b3..738400b29 100644
--- a//IAM/latest/UserGuide/reference-arns.md
+++ b//IAM/latest/UserGuide/reference-arns.md
@@ -128,0 +129,4 @@ You cannot use a wildcard in the portion of the ARN that specifics the resource
+###### Note
+
+When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (*) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon SQS resources across all regions and accounts.
+