Skip to content
TFLint AWS Meta Ruleset

IAM Policy Hardcoded Regions

Rule: aws_iam_policy_hardcoded_region

This rule checks aws_iam_policy resources for hardcoded AWS regions in policy documents. Similar to the role policy rule, it examines:

  • Hardcoded regions in ARNs within policy statements
  • Direct region references in policy JSON

Example violations

Section titled “Example violations”
resource "aws_iam_policy" "bad" {
  policy = jsonencode({
    Statement = [{
      Effect   = "Allow"
      Action   = "lambda:InvokeFunction"
      Resource = "arn:aws:lambda:eu-west-1:123456789012:function:*"  # ❌ Hardcoded region
    }]
  })
}
Section titled “Recommended fix”
resource "aws_iam_policy" "good" {
  policy = jsonencode({
    Statement = [{
      Effect   = "Allow"
      Action   = "lambda:InvokeFunction"
      Resource = "arn:aws:lambda:${data.aws_region.current.name}:123456789012:function:*"  # ✅ Dynamic region
    }]
  })
}

Enabling this rule

Section titled “Enabling this rule”

This rule is disabled by default. To enable it, add it to your .tflint.hcl:

rule "aws_iam_policy_hardcoded_region" {
  enabled = true
}