aquasecurity
diff --git a/‎avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md
+4-5 b/‎avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md
+4-5
diff --git a/‎avd_docs/aws/iam/AVD-AWS-0057/Terraform.md
+34-35 b/‎avd_docs/aws/iam/AVD-AWS-0057/Terraform.md
+34-35
diff --git a/‎avd_docs/aws/iam/AVD-AWS-0057/docs.md
+2-1 b/‎avd_docs/aws/iam/AVD-AWS-0057/docs.md
+2-1
diff --git a/‎avd_docs/aws/iam/AVD-AWS-0169/docs.md
+2-3 b/‎avd_docs/aws/iam/AVD-AWS-0169/docs.md
+2-3
diff --git a/‎avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md
+11-12 b/‎avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md
+11-12
diff --git a/‎avd_docs/aws/sam/AVD-AWS-0114/docs.md
+2-1 b/‎avd_docs/aws/sam/AVD-AWS-0114/docs.md
+2-1
diff --git a/‎avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md
+8-9 b/‎avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md
+8-9
diff --git a/‎avd_docs/aws/sam/AVD-AWS-0120/docs.md
+4-2 b/‎avd_docs/aws/sam/AVD-AWS-0120/docs.md
+4-2
diff --git a/‎avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md
+2-4 b/‎avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md
+2-4
diff --git a/‎avd_docs/aws/ssm/AVD-AWS-0134/docs.md
+2-1 b/‎avd_docs/aws/ssm/AVD-AWS-0134/docs.md
+2-1
diff --git a/‎checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego
+1 b/‎checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego
+1
diff --git a/‎checks/cloud/aws/iam/no_policy_wildcards.rego
+38 b/‎checks/cloud/aws/iam/no_policy_wildcards.rego
+38
@@ -1,20 +1,19 @@
 
 Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
 
-```yaml---
+```yaml
 Resources:
   GoodPolicy:
-    Type: 'AWS::IAM::Policy'
+    Type: AWS::IAM::Policy
     Properties:
       PolicyName: CFNUsers
       PolicyDocument:
         Version: "2012-10-17"
         Statement:
           - Effect: Allow
             Action:
-              - 's3:ListBuckets'
-            Resource: 'specific-bucket'
-
+              - s3:ListBuckets
+            Resource: specific-bucket
 ```
 
 
@@ -2,41 +2,40 @@
 Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
 
 ```hcl
- resource "aws_iam_role_policy" "test_policy" {
- 	name = "test_policy"
- 	role = aws_iam_role.test_role.id
- 
- 	policy = data.aws_iam_policy_document.s3_policy.json
- }
- 
- resource "aws_iam_role" "test_role" {
- 	name = "test_role"
- 	assume_role_policy = jsonencode({
- 		Version = "2012-10-17"
- 		Statement = [
- 		{
- 			Action = "sts:AssumeRole"
- 			Effect = "Allow"
- 			Sid    = ""
- 			Principal = {
- 			Service = "s3.amazonaws.com"
- 			}
- 		},
- 		]
- 	})
- }
- 
- data "aws_iam_policy_document" "s3_policy" {
-   statement {
-     principals {
-       type        = "AWS"
-       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
-     }
-     actions   = ["s3:GetObject"]
-     resources = [aws_s3_bucket.example.arn]
-   }
- }
- 
+resource "aws_iam_role_policy" "test_policy" {
+  name = "test_policy"
+  role = aws_iam_role.test_role.id
+
+  policy = data.aws_iam_policy_document.s3_policy.json
+}
+
+resource "aws_iam_role" "test_role" {
+  name = "test_role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "s3.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+data "aws_iam_policy_document" "s3_policy" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["s3:GetObject"]
+    resources = [aws_s3_bucket.example.arn]
+  }
+}
 ```
 
 #### Remediation Links
 
@@ -1,8 +1,9 @@
 
 You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.
 
+
 ### Impact
-Overly permissive policies may grant access to sensitive resources
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
@@ -1,11 +1,10 @@
 
-
 By implementing least privilege for access control, an IAM Role will require an appropriate
 IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.
-			
+
 
 ### Impact
-Incident management is not possible without a support role.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
@@ -1,7 +1,7 @@
 
 Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
 
-```yaml---
+```yaml
 Resources:
   GoodFunction:
     Type: AWS::Serverless::Function
@@ -10,20 +10,19 @@ Resources:
       ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name
       ImageConfig:
         Command:
-          - "app.lambda_handler"
+          - app.lambda_handler
         EntryPoint:
-          - "entrypoint1"
-        WorkingDirectory: "workDir"
-      Policies:  
+          - entrypoint1
+        WorkingDirectory: workDir
+      Policies:
         - AWSLambdaExecute
-        - Version: '2012-10-17'
+        - Version: "2012-10-17"
           Statement:
-          - Effect: Allow
-            Action:
-            - s3:GetObject
-            - s3:GetObjectACL
-            Resource: 'arn:aws:s3:::my-bucket/*'
-
+            - Effect: Allow
+              Action:
+                - s3:GetObject
+                - s3:GetObjectACL
+              Resource: arn:aws:s3:::my-bucket/*
 ```
 
 
@@ -1,8 +1,9 @@
 
 You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.
 
+
 ### Impact
-Overly permissive policies may grant access to sensitive resources
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
@@ -1,7 +1,7 @@
 
 Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
 
-```yaml---
+```yaml
 Resources:
   GoodFunction:
     Type: AWS::Serverless::StateMachine
@@ -16,16 +16,15 @@ Resources:
       Role: arn:aws:iam::123456123456:role/service-role/my-sample-role
       Tracing:
         Enabled: true
-      Policies:  
+      Policies:
         - AWSLambdaExecute
-        - Version: '2012-10-17'
+        - Version: "2012-10-17"
           Statement:
-          - Effect: Allow
-            Action:
-            - s3:GetObject
-            - s3:GetObjectACL
-            Resource: 'arn:aws:s3:::my-bucket/*'
-
+            - Effect: Allow
+              Action:
+                - s3:GetObject
+                - s3:GetObjectACL
+              Resource: arn:aws:s3:::my-bucket/*
 ```
 
 
@@ -1,8 +1,10 @@
 
-You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.
+You should use the principle of least privilege when defining your IAM policies.
+This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.
+
 
 ### Impact
-Overly permissive policies may grant access to sensitive resources
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
@@ -3,12 +3,10 @@ Remove this potential exfiltration HTTP request.
 
 ```hcl
 resource "aws_ssm_parameter" "db_password" {
-  name = "db_password"
-  type = "SecureString"
+  name  = "db_password"
+  type  = "SecureString"
   value = var.db_password
 }
-
- 
 ```
 
 
@@ -1,8 +1,9 @@
 
 The data.http block can be used to send secret data outside of the organisation.
 
+
 ### Impact
-Secrets could be exposed outside of the organisation.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
@@ -20,6 +20,7 @@
 #   service: accessanalyzer
 #   severity: LOW
 #   short_code: enable-access-analyzer
+#   deprecated: true
 #   recommended_action: Enable IAM Access analyzer across all regions.
 #   frameworks:
 #     cis-aws-1.4:
 
@@ -0,0 +1,38 @@
+# METADATA
+# title: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
+# description: |
+#   You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+# custom:
+#   id: AVD-AWS-0057
+#   avd_id: AVD-AWS-0057
+#   provider: aws
+#   service: iam
+#   severity: HIGH
+#   short_code: no-policy-wildcards
+#   deprecated: true
+#   recommended_action: Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
+#   frameworks:
+#     default:
+#       - null
+#     cis-aws-1.4:
+#       - "1.16"
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: iam
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
+#     good_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml
+#     bad_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml
+#   cloudformation:
+#     good_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml
+#     bad_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml
+package builtin.aws.iam.aws0057