diff --git a/policies/CIS.5.1.3.rego b/policies/CIS.5.1.3.rego
new file mode 100644
index 0000000000..1dd3e82ee7
--- /dev/null
+++ b/policies/CIS.5.1.3.rego
@@ -0,0 +1,27 @@
+package cis_5_1_3
+
+import data.lib.kubernetes
+
+violation[msg] {
+    kubernetes.clusterroles[clusterrole]
+    is_using_wildcard(clusterrole.rules[_])
+    msg = kubernetes.format(sprintf("ClusterRole %v - use of wildcard is not allowed", [clusterrole.metadata.name]))
+}
+
+violation[msg] {
+    kubernetes.roles[role]
+    is_using_wildcard(role.rules[_])
+    msg = kubernetes.format(sprintf("Role %v - use of wildcard is not allowed", [role.metadata.name]))
+}
+
+is_using_wildcard(rule) {
+    rule.apiGroups[_] == "*"
+}
+
+is_using_wildcard(rule) {
+    rule.resources[_] == "*"
+}
+
+is_using_wildcard(rule) {
+    rule.verbs[_] == "*"
+}
diff --git a/policies/CIS.5.1.3_test.rego b/policies/CIS.5.1.3_test.rego
new file mode 100644
index 0000000000..cd25abef37
--- /dev/null
+++ b/policies/CIS.5.1.3_test.rego
@@ -0,0 +1,62 @@
+package cis_5_1_3
+
+import data.lib.test
+
+test_violation {
+    test.violations(violation) with input as policy_input("ClusterRole", "authorization.k8s.io", "tokenviews", "*")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("ClusterRole", "authorization.k8s.io", "*", "create")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("ClusterRole", "*", "tokenviews", "create")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("Role", "authorization.k8s.io", "tokenviews", "*")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("Role", "authorization.k8s.io", "*", "create")
+}
+
+test_violation {
+    test.violations(violation) with input as policy_input("Role", "*", "tokenviews", "create")
+}
+
+test_no_violation {
+    test.no_violations(violation) with input as policy_input("ClusterRole", "authorization.k8s.io", "tokenviews", "create")
+}
+
+test_no_violation_2 {
+    test.no_violations(violation) with input as policy_input("Role", "authorization.k8s.io", "tokenviews", "create")
+}
+
+policy_input(rolekind, apiGroup, resource, verb) = {
+    "apiVersion": "rbac.authorization.k8s.io/v1",
+    "kind": rolekind,
+    "metadata": {
+        "annotations": {
+            "rbac.authorization.kubernetes.io/autoupdate": "true"
+        },
+        "labels": {
+            "kubernetes.io/bootstrapping": "rbac-defaults"
+        },
+        "name": "system:node"
+    },
+    "rules": [
+        {
+            "apiGroups": [
+                apiGroup
+            ],
+            "resources": [
+                resource
+            ],
+            "verbs": [
+                verb
+            ]
+        }
+    ]
+}
diff --git a/policies/lib/kubernetes.rego b/policies/lib/kubernetes.rego
index 12c527f3de..807e83d171 100644
--- a/policies/lib/kubernetes.rego
+++ b/policies/lib/kubernetes.rego
@@ -153,6 +153,19 @@ clusterroles[clusterrole] {
     clusterrole = object
 }
 
+is_role {
+  kind = "Role"
+}
+
+is_role {
+  kind = "Roles"
+}
+
+roles[role] {
+    is_role
+    role = object
+}
+
 is_clusterrole_binding {
     kind = "ClusterRoleBinding"
 }