🛡️ AWS IAM Role unused🟢

• Contextual name: 🛡️ IAM Role Unused🟢
• ID: /ce/ca/aws/iam/role-unused
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM Role
  • 🔌 AWS IAM Role - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

AWS Identity and Access Management (IAM) roles are essential to providing permissions to teams and applications using your provisioned AWS infrastructure. As time passes and needs change, some created roles might be left unused in your AWS account. It is highly recommended to remove these unused roles from your AWS account to prevent unauthorized access.

Rationale

It's more secure to start with a minimum set of roles and add additional roles as necessary, rather than keep a maximum set of roles.

Audit

To determine if you have unused IAM roles, perform the following:

From Command Line

1. Run the list-roles command to list all IAM roles within your account:

   aws iam list-roles \
       --query 'Roles[*].RoleName'

2. The command output should return an array that contains all your IAM role names.

3. Run the get-role command using the IAM role name that you want to examine as a command parameter to retrieve its information:

   aws iam get-role \
       --role-name {{role-name}}

... see more

Remediation

Open File

Remediation

To delete any unused role in your AWS account, perform the following:

From Command Line

When you use the AWS CLI to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

1. Run the get-role command using the IAM role name that you want to examine as a command parameter to retrieve its information:

   aws iam get-role \
       --role-name {{role-name}}

2. The command output should provide the metadata for the role, including the ARN of the role object.

3. Remove the role from all instance profiles that the role is in.

   a. To list all instance profiles that the role is associated with, enter the following command:

   aws iam list-instance-profiles-for-role \
       --role-name {{role-name}}

   b. The command output should provide all instance profiles that the role is associated with.

   c. To remove the role from an instance profile, enter the following command for each instance profile:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			18		no data