Understand IAM Action wildcards
📑 On this page
Part 105 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
Action wildcards expand permission scope. s3:Get* can include more operations over time than one named action.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
cat > action-wildcards.json <<'EOF'
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example/*"},
{"Effect": "Allow", "Action": "s3:Get*", "Resource": "arn:aws:s3:::example/*"}
]
}
EOFThe two statements are intentionally redundant for comparison; do not attach this teaching document.
Inspect the result
aws accessanalyzer validate-policy \
--policy-type IDENTITY_POLICY \
--policy-document file://action-wildcards.json \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
sed 's/"s3:Get\*"/"s3:*"/' action-wildcards.json > dangerously-broad.jsons3:* includes writes, deletes, policy changes, and many other actions; it is not read-only.
Common mistake
A wildcard that looks linguistically narrow may cover unexpected API actions. Prefer exact actions and test real workflows.
Cleanup
rm action-wildcards.json dangerously-broad.jsonOnly local comparison files were created.
Next, we will learn Understand IAM Resource ARNs.