π AWS IAM Role unused π’
- Contextual name: π IAM Role Unused π’
- ID:
/ce/ca/aws/iam/role-unused - Located in: π AWS IAM
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
- π AWS IAM Role
- π AWS IAM Role - object.extracts.yaml
- π§ͺ test-data.json
Descriptionβ
Descriptionβ
AWS Identity and Access Management (IAM) roles are essential to providing permissions to teams and applications using your provisioned AWS infrastructure. As time passes and needs change, some created roles might be left unused in your AWS account. It is highly recommended to remove these unused roles from your AWS account to prevent unauthorized access.
Rationaleβ
It's more secure to start with a minimum set of roles and add additional roles as necessary, rather than hold maximum set of roles.
Auditβ
To determine if you have unused IAM roles, perform the following:
From Command Lineβ
Run list-roles command (OSX/Linux/UNIX) to list all IAM roles within your account
aws iam list-roles \\
--query 'Roles[*].RoleName'The command output should return an array that contains all your IAM role names.
Run get-iam-role command (OSX/Linux/UNIX) using the IAM role name that you want to examine as a command parameter to retrieve its information:
aws iam get-role \\
--role-name myec2role... see more
Remediationβ
Remediationβ
To delete any unused role in your AWS account, perform the following:
From Command Lineβ
When you use the AWS CLI to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.
Run get-iam-role command (OSX/Linux/UNIX) using the IAM role name that you want to examine as a command parameter to retrieve its information:
aws iam get-role \\
--role-name myec2roleThe command output should provide the metadata for the role, including the ARN of the role object.
Remove the role from all instance profiles that the role is in.
a. To list all instance profiles that the role is associated with, enter the following command:
aws iam list-instance-profiles-for-role \\
--role-name myec2roleb. The command output should provide all InstanceProfiles that the role is associated with
c. To remove the role from an instance profile, enter the following command for each instance profile:
... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Role-Based Access Control (RBAC) Management | 9 |