What is Wildcard Action?
A wildcard action uses an asterisk to match many or all actions, with Action set to "*" granting every action in AWS.
Wildcards can be partial, such as s3:Get*, or total, such as a bare "*". A total wildcard on Resource "*" is administrator-equivalent and is the single most common over-permissioning pattern in real policies.
Partial wildcards are sometimes reasonable for read families, but they still grant future actions that match the pattern. Enumerating the exact actions a workload needs is the reliable way to avoid silently widening access as AWS adds new APIs.
Example
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}Common mistake
Leaving a wildcard action in place to unblock a deploy. Action "*" on Resource "*" grants full administrator access and rarely gets tightened later.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.