AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2025-07-16 · Security-related medium

File: IAM/latest/UserGuide/reference_policies_grammar.md

Summary

Added documentation about wildcard usage in ARNs and automatic wildcard completion for incomplete ARNs

Security assessment

Explains security-critical behavior of policy evaluation regarding wildcards, helping prevent accidental over-permissioning. Reiterates security implications from reference_identifiers.md.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_grammar.md b/IAM/latest/UserGuide/reference_policies_grammar.md
index e339fe82e..62e8799ce 100644
--- a//IAM/latest/UserGuide/reference_policies_grammar.md
+++ b//IAM/latest/UserGuide/reference_policies_grammar.md
@@ -240 +240,5 @@ Note that you can use * only to specify "everyone/anonymous." You cannot use it
-In most cases, consists of an [Amazon Resource Name](./reference_identifiers.html#identifiers-arns) (ARN).
+In most cases, consists of an [Amazon Resource Name](./reference_identifiers.html#identifiers-arns) (ARN). You can use wildcards (* and ?) in the resource portion of the ARN. For more information about using wildcards in ARNs, see [Using wildcards in paths](./reference-arns.html#arns-paths-wildcards).
+
+###### Note
+
+When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (*) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon SQS resources across all regions and accounts.