AWS IAM high security documentation change
Summary
Added warning about automatic wildcard expansion in incomplete ARNs for identity-based policies
Security assessment
The change addresses a security-relevant configuration pitfall by warning users that incomplete ARNs expand to wildcards, which could lead to accidental over-permissioning. This directly documents a security consideration for policy authors to prevent unintended access.
Diff
diff --git a/IAM/latest/UserGuide/reference-arns.md b/IAM/latest/UserGuide/reference-arns.md index 9daa743b3..738400b29 100644 --- a//IAM/latest/UserGuide/reference-arns.md +++ b//IAM/latest/UserGuide/reference-arns.md @@ -128,0 +129,4 @@ You cannot use a wildcard in the portion of the ARN that specifics the resource +###### Note + +When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (*) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon SQS resources across all regions and accounts. +