Unused policies are attached to roles

Description

AWS IAM policies manage access permissions for IAM users, roles, and groups within an AWS account.

A policy is considered not in use under the following conditions:

  • Excessive user policy: A policy is directly attached to an IAM user but is not actively utilized by that user.
  • Excessive role policy: A policy is directly attached to an IAM role but is not being applied by that role.

To mitigate the risk of unauthorized access or privilege misconfigurations, it is recommended to monitor the usage and non-usage of IAM policies. This practice ensures that unused policies do not inadvertently grant access or become mistakenly assigned, thereby reducing the risk of future security issues.

Fix - Runtime

CLI command

To detach an unused policy from a role, use the following command:

aws iam detach-role-policy --role-name <value> --policy-arn <value>

To detach an unused policy from a user, use the following command:

aws iam detach-user-policy --user-name <value> --policy-arn <value>
ReLambda