Unused policies are attached to groups

Description

Removing inactive IAM groups mitigates the risk of these groups being inadvertently leveraged to grant unauthorized access to AWS resources. Similarly, detaching unused policies ensures that they cannot be exploited by unauthorized actors to make unauthorized modifications within the account.

It is recommended to continuously track both the usage and inactivity of IAM policies and groups. This proactive monitoring helps prevent the accidental assignment of unused policies or groups, which could inadvertently enable unauthorized access or privilege escalation within your AWS environment.

Fix - Runtime Remediation

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the [Amazon IAM console}(https://console.aws.amazon.com/iam/).
  3. In the navigation pane, choose Groups, Users, or Roles.
  4. From the list, select the name of the group, user, or role that has the policy you want to remove.
  5. Choose the Permissions tab. If you chose Groups, expand the Inline Policies section if necessary.
  6. If in Groups, choose Remove Policy. If in Users or Roles, choose X.

CLI Command

To detach a policy from a group, use the following command:

aws iam detach-group-policy 
--group-name Testers 
--policy-arn arn:aws:iam::123456789012:policy/TesterAccessPolicy```
ReLambda