← All posts
2 min read

Understand IAM Action wildcards

#aws#cli#iam#security#identity
📑 On this page

Part 105 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Action wildcards expand permission scope. s3:Get* can include more operations over time than one named action.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

cat > action-wildcards.json <<'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example/*"},
    {"Effect": "Allow", "Action": "s3:Get*", "Resource": "arn:aws:s3:::example/*"}
  ]
}
EOF

The two statements are intentionally redundant for comparison; do not attach this teaching document.

Inspect the result

aws accessanalyzer validate-policy \
  --policy-type IDENTITY_POLICY \
  --policy-document file://action-wildcards.json \
  --output table

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

sed 's/"s3:Get\*"/"s3:*"/' action-wildcards.json   > dangerously-broad.json

s3:* includes writes, deletes, policy changes, and many other actions; it is not read-only.

Common mistake

A wildcard that looks linguistically narrow may cover unexpected API actions. Prefer exact actions and test real workflows.

Cleanup

rm action-wildcards.json dangerously-broad.json

Only local comparison files were created.

Next, we will learn Understand IAM Resource ARNs.

Official AWS CLI reference