IAM Misconfiguration (cloud)
What is IAM Misconfiguration (cloud)?
IAM Misconfiguration (cloud)Insecure or overly permissive cloud Identity and Access Management settings that allow users, roles, or services to perform actions beyond what they actually need.
Cloud IAM misconfigurations occur when policies, roles, trust relationships, or permission boundaries grant more access than the workload requires. Typical issues include wildcards in Action or Resource ("*"), roles assumable by arbitrary accounts, long-lived access keys, missing MFA on privileged users, unused but still-active service accounts, and chained role assumptions that enable privilege escalation. Because IAM is the control plane of the cloud, an IAM mistake often turns a low-impact bug into a full account takeover or data breach. Defenses include least-privilege design, IAM Access Analyzer and CIEM tooling, permission boundaries, SCPs/management groups, short-lived credentials with STS or workload identity federation, and continuous monitoring of effective permissions versus actual usage.
● Examples
- 01
An EC2 instance role with Action: "*" on Resource: "*".
- 02
An AssumeRole trust policy that allows arn:aws:iam::*:root as Principal.
● Frequently asked questions
What is IAM Misconfiguration (cloud)?
Insecure or overly permissive cloud Identity and Access Management settings that allow users, roles, or services to perform actions beyond what they actually need. It belongs to the Cloud Security category of cybersecurity.
What does IAM Misconfiguration (cloud) mean?
Insecure or overly permissive cloud Identity and Access Management settings that allow users, roles, or services to perform actions beyond what they actually need.
How do you defend against IAM Misconfiguration (cloud)?
Defences for IAM Misconfiguration (cloud) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for IAM Misconfiguration (cloud)?
Common alternative names include: Overly permissive IAM, Excessive cloud privileges.