AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2025-07-16 · Security-related medium

File: IAM/latest/UserGuide/reference_identifiers.md

Summary

Added note explaining AWS automatically completes incomplete ARNs with wildcards in identity-based policies

Security assessment

Clarifies potential over-permissive access risks when using incomplete ARNs, which could lead to unintended resource exposure if misunderstood. Directly addresses security implications of policy syntax.

Diff

diff --git a/IAM/latest/UserGuide/reference_identifiers.md b/IAM/latest/UserGuide/reference_identifiers.md
index b95221ec5..1bb3009fd 100644
--- a//IAM/latest/UserGuide/reference_identifiers.md
+++ b//IAM/latest/UserGuide/reference_identifiers.md
@@ -268,0 +269,4 @@ Don't use a wildcard in the `user/`, `group/`, or `policy/` part of the ARN. For
+###### Note
+
+When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (*) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon SQS resources across all regions and accounts.
+