Configure the aws_iam_policy, aws_iam_group_policy, aws_iam_role_policy, aws_iam_user_policy, or aws_iam_policy_document so the effect is not set to "Allow" and actions and resources are not set to *.

• Ensure that IAM policy definitions in aws_iam_policy resources, or inline with aws_iam_group_policy, aws_iam_role_policy, and aws_iam_user_policy resources do not have Effect set to "Allow" and Action and Resource set to * in the policy block.
• When using aws_iam_policy_document, ensure it does not have effect set to "Allow" and actions and resources to contain * in the statement blocks.

Example Configuration

# Example aws_iam_policy
resource "aws_iam_policy" "my_test_policy_1" {
  name        = "test_policy_1"
  path        = "/"
  description = "My test policy 1"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["ec2:StartInstances"],
      "Effect": "Allow",
      "Resource": ["*"]
    }
  ]
}
EOF
}

# Example aws_iam_policy_document
data "aws_iam_policy_document" "my_test_policy_2_policy" {
  statement {
    effect = "Allow"
    actions = ["ec2:StartInstances"]
    resources = ["*"]
  }

  statement {
    effect = "Allow"
    actions = ["*"]
    resources = ["${aws_iam_policy.my_test_policy_1.arn}"]
  }

  statement {
    effect = "Deny"
    actions = ["*"]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "my_test_policy_2" {
  name        = "test_policy_2"
  path        = "/"
  description = "My test policy 2"
  policy = "${data.aws_iam_policy_document.my_test_policy_2_policy.json}"
}