๐ก๏ธ AWS IAM Role unused๐ข
- Contextual name: ๐ก๏ธ IAM Role Unused๐ข
- ID:
/ce/ca/aws/iam/role-unused - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
BEST_PRACTICE - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
- ๐ AWS IAM Role
- ๐ AWS IAM Role - object.extracts.yaml
- ๐งช test-data.json
Descriptionโ
Descriptionโ
AWS Identity and Access Management (IAM) roles are essential to providing permissions to teams and applications using your provisioned AWS infrastructure. As time passes and needs change, some created roles might be left unused in your AWS account. It is highly recommended to remove these unused roles from your AWS account to prevent unauthorized access.
Rationaleโ
It's more secure to start with a minimum set of roles and add additional roles as necessary, rather than hold maximum set of roles.
Auditโ
To determine if you have unused IAM roles, perform the following:
From Command Lineโ
Run list-roles command (OSX/Linux/UNIX) to list all IAM roles within your account
aws iam list-roles \\
--query 'Roles[*].RoleName'The command output should return an array that contains all your IAM role names.
Run get-iam-role command (OSX/Linux/UNIX) using the IAM role name that you want to examine as a command parameter to retrieve its information:
aws iam get-role \\
--role-name myec2role... see more
Remediationโ
Remediationโ
To delete any unused role in your AWS account, perform the following:
From Command Lineโ
When you use the AWS CLI to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.
Run get-iam-role command (OSX/Linux/UNIX) using the IAM role name that you want to examine as a command parameter to retrieve its information:
aws iam get-role \\
--role-name myec2roleThe command output should provide the metadata for the role, including the ARN of the role object.
Remove the role from all instance profiles that the role is in.
a. To list all instance profiles that the role is associated with, enter the following command:
aws iam list-instance-profiles-for-role \\
--role-name myec2roleb. The command output should provide all InstanceProfiles that the role is associated with
c. To remove the role from an instance profile, enter the following command for each instance profile:
... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Role-Based Access Control (RBAC) Management | 13 | no data |