Remediation
From Consoleβ
Perform the following to detach the policy that has full administrative privileges:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click Policies and then search for the policy name found in the audit step.
- Select the policy that needs to be deleted.
- In the policy action menu, select first
Detach. - Select all Users, Groups, Roles that have this policy attached.
- Click
Detach Policy. - Select the newly detached policy and select
Delete.
From Command Lineβ
Perform the following to detach the policy that has full administrative privileges as found in the audit step:
- Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
- Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
- Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
- Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>