IAM policy should avoid use of wildcards and instead apply the principle of least privilege - tfsec
A static analysis security scanner for your Terraform code
aquasecurity.github.io