AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2025-08-01 · Security-related medium

File: IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md

Summary

Updated policy check guidance to require characters preceding policy variables/wildcards instead of following them

Security assessment

The change addresses overly permissive policies by requiring 6 characters before variables/wildcards rather than after. This reduces attack surface by preventing overly broad patterns like `${aws:username}*` which could allow privilege escalation. The updates enforce more restrictive patterns aligned with least privilege principles.

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md b/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md
index 774b73aea..528a5ac33 100644
--- a//IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md
+++ b//IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md
@@ -2814 +2814 @@ In the AWS Management Console, the finding for this check includes the following
-    Variable usage too permissive: Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable followed by 6 consecutive characters.
+    Variable usage too permissive: Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable preceded by 6 consecutive characters.
@@ -2825 +2825 @@ In programmatic calls to the AWS CLI or AWS API, the finding for this check incl
-    "findingDetails": "Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable followed by 6 consecutive characters."
+    "findingDetails": "Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable preceded by 6 consecutive characters."
@@ -2837 +2837 @@ There are three possible finding messages for this error.
-  * For the first error message, modify your policy variable usage to be more specific. Add at least 6 consecutive characters after the policy variable to reduce the scope of permissions. For example, instead of using `${aws:username}*`, use `${aws:username}folder/*` or `${aws:username}-resource-*`. This ensures that the policy variable doesn't grant overly broad access.
+  * For the first error message, modify your policy variable usage to be more specific. Add at least 6 consecutive characters before the policy variable to reduce the scope of permissions. For example, instead of using `${aws:username}`, use `prefix-${aws:username}` or `myapp-${aws:username}`. This ensures that the policy variable doesn't grant overly broad access.
@@ -2841 +2841 @@ There are three possible finding messages for this error.
-  * For the third error message, modify your `aws:userID` policy variable usage to be more restrictive. Place the policy variable on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:${aws:userid}` or `${aws:userid}` instead of `${aws:userid}:*`.
+  * For the third error message, modify your `aws:userID` policy variable usage to be more restrictive. Place the policy variable on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:${aws:userid}` or `${aws:userid}:*` instead of `${aws:userid}`.
@@ -2870 +2870 @@ In the AWS Management Console, the finding for this check includes the following
-    Wildcard usage too permissive: Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard followed by 6 consecutive characters.
+    Wildcard usage too permissive: Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard preceded by 6 consecutive characters.
@@ -2881 +2881 @@ In programmatic calls to the AWS CLI or AWS API, the finding for this check incl
-    "findingDetails": "Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard followed by 6 consecutive characters."
+    "findingDetails": "Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard preceded by 6 consecutive characters."
@@ -2893 +2893 @@ There are three possible finding messages for this error.
-  * For the first error message, make your wildcard usage more specific by adding at least 6 consecutive characters after the wildcard. For example, instead of using `*`, use `*-suffix` or `prefix-*-suffix`. This reduces the scope of the condition and follows the principle of least privilege.
+  * For the first error message, make your wildcard usage more specific by adding at least 6 consecutive characters before the wildcard. For example, instead of using `*`, use `prefix-*` or `prefix-*-suffix`. This reduces the scope of the condition and follows the principle of least privilege.
@@ -2897 +2897 @@ There are three possible finding messages for this error.
-  * For the third error message, modify your `aws:userID` wildcard usage to be more restrictive. Place the wildcard on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:*` or `*` instead of `*:*`. 
+  * For the third error message, modify your `aws:userID` wildcard usage to be more restrictive. Place the wildcard on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:*` or `*:*` instead of `*`.