UPCOMING EVENT Discover how nOps streamlines your cost optimization at AWS re: Invent - BOOK A MEETING
NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now
AWS Identity and Access Management (IAM) roles are essential to providing permissions to teams and applications using your provisioned AWS infrastructure. As time passes and needs change, some created roles might be left unused in your AWS account. An IAM role is considered unused if there has been no usage/activity for this role in the past 90 days
. It is highly recommended to remove these unused roles from your AWS account to prevent unauthorized access.
This rule can help you with the following:
Compliance Frameworks
AWS Well-Architected Lens
To help you identify these unused roles, IAM now reports the
last-used timestamp
that represents when a role was last used to make an AWS request. You or your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps you improve the security posture of your AWS environments. Additionally, by removing unused roles, you can simplify your monitoring and auditing efforts by focusing only on roles that are in use.
To determine if your AWS IAM users have unnecessary active access keys, perform the following:
1. Sign in to the AWS Management Console.
2. Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.
3. In the left navigation panel, select **Roles**
.
4. Look for the Last activity
column (see screenshot below).
This column displays the
number of days
that have passed since each role made an AWS service request. AWS records last-used information for the trailing 400 days. This is referred to as thetracking period
.
5. Sort the column by clicking on it to identify the roles your team has not used recently.
6. Any role that has Last activity of more than 90 days
can be considered unused
. For Example, myec2role
in the screenshot above hasn’t been used for 284 days
.
7. Click on the name of the role to view more information. The role Summary
page also includes the Last activity
, which displays the last used date for the role.
Note that there are multiple pages, so you may have to click on the top arrows to view the information for all roles.
8. Any role with Last Activity as Blank (-) (as seen below for aws-glue-rc ) means no activity has been recorded for the past 400 days.
9. Note the IAM Role Name(s) that meet the criteria as you will need them during the remediation section.
1. Run list-roles
command (OSX/Linux/UNIX) to list all IAM roles within your account
aws iam list-roles \\
--query 'Roles[*].RoleName'
2. The command output should return an array that contains all your IAM role names.
[
"aamir-code-pipeline-poc-service-role",
"aamir-mvn-s3-full-access",
"abel-cloudfront-role-eki7dzxw",
"abel-nclouds-role-sa0sujct",
"Abel-SMS-Role",
"AbelRole",
"adamc-1-s3-bucket-admin",
"adamc-lambda-s3-full-access",
"adamc-s3-athena-etl",
"Add-role-i5pyt44v",
"adminaccesrole",
...
"myec2role"
...
"yasir-ec2-lambda-role-1a0w5ll6",
"Yasir-IAM",
"yasir-java-test-lambda-role-0wrz0ldn",
"yasir-lambda-snapshot-role-mv24cge9",
"yasir-s3",
"yasir-test-java-role-krhi2xsi",
"yasir-test-subcription-role-vybixbmn",
"yasir-vpc-flow-logs-role",
"YewnoPagerdutyMail-role-ivygwb9d"
]
3. Run get-iam-role
command (OSX/Linux/UNIX) using the IAM role name that you want to examine as a command parameter to retrieve its information:
aws iam get-role \\
--role-name myec2role
4. The command output should provide the metadata for the role, including the RoleLastUsed
object, as shown below :
{
"Role": {
"Path": "/",
"RoleName": "myec2role",
"RoleId": "AROA2DYVJGKZVNFMQD6DB",
**"Arn": "arn:aws:iam::695292474035:role/myec2role",**
"CreateDate": "2020-03-26T15:56:36+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows EC2 instances to call AWS services on your behalf.",
"MaxSessionDuration": 3600,
**"RoleLastUsed": {
"LastUsedDate": "2020-12-17T19:33:50+00:00",
"Region": "us-east-1"
}**
}
}
5. The RoleLastUsed
object contains the LastUsedDate
and the Region
in which the role was last used.
6. If RoleLastUsed
is 90 days or more, then the IAM role meets the unused criteria. If RoleLastUsed
is present but does not contain a value, then the role has not been used within the tracking period
(i.e., last 400 days) and meets the unused criteria.
7. Every IAM role in the AWS account should be examined using steps 3 -6 to determine the usage.
To delete any unused role in your AWS account, perform the following:
When you use the AWS Management Console to delete a role, IAM also automatically deletes the
policies
associated with the role. It also deletes anyAmazon EC2 instance profile
that contains the role.
1. Sign in to the AWS Management Console.
2. Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.
3. In the left navigation panel, select **Roles**
.
4. Filter the role that you want to delete (see audit section for role selection). You can use the Search bar and type the role initial few letters to filter to the role easily.
5. Check the box next to the role name you intend to delete.
6. At the top right corner, click the Delete button to delete the role.
7. Review the last accessed information in the confirmation dialog prompt. This will help check the active status of the selected roles, i.e., the last time an AWS Service used them.
a. If you want to proceed, enter the role’s name
in the text input field and choose Delete
.
b. If you are sure, you can proceed with the deletion even if the last accessed information is still loading.
8. Repeat steps 4 -7 for each role that you want to delete from your AWS account.
When you use the AWS CLI to delete a role, you must first delete the
policies
associated with the role. Also, if you want to delete the associatedinstance profile
that contains the role, you must delete it separately.
1. Run get-iam-role
command (OSX/Linux/UNIX) using the IAM role name that you want to examine as a command parameter to retrieve its information:
aws iam get-role \\
--role-name myec2role
2. The command output should provide the metadata for the role, including the ARN
of the role object as shown below :
{
"Role": {
"Path": "/",
"RoleName": "myec2role",
"RoleId": "AROA2DYVJGKZVNFMQD6DB",
**"Arn": "arn:aws:iam::695292474035:role/myec2role",**
"CreateDate": "2020-03-26T15:56:36+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows EC2 instances to call AWS services on your behalf.",
"MaxSessionDuration": 3600,
**"RoleLastUsed": {
"LastUsedDate": "2020-12-17T19:33:50+00:00",
"Region": "us-east-1"
}**
}
}
3. Remove the role from all instance profiles that the role is in.
a. To list all instance profiles that the role is associated with, enter the following command:
aws iam list-instance-profiles-for-role \\
--role-name myec2role
b. The command output should provide all InstanceProfiles that the role is associated with as shown below:
{
"InstanceProfiles": [
{
"Path": "/",
**"InstanceProfileName": "myec2role",
"InstanceProfileId": "AIPA2DYVJGKZ7Z2R7O22U",**
"Arn": "arn:aws:iam::695292474035:instance-profile/myec2role",
"CreateDate": "2020-03-26T15:56:39+00:00",
"Roles": [
{
"Path": "/",
"RoleName": "myec2role",
"RoleId": "AROA2DYVJGKZVNFMQD6DB",
"Arn": "arn:aws:iam::695292474035:role/myec2role",
"CreateDate": "2020-03-26T15:56:36+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
]
}
]
}
c. To remove the role from an instance profile, enter the following command for each instance profile:
aws iam remove-role-from-instance-profile \\
--instance-profile-name **myec2role** \\
--role-name **myec2role**
4. To Delete all inline policies that are associated with the role, perform the following:
a. To list all policies that are in the role, enter the following command:
aws iam list-role-policies \\
--role-name myec2role
b. The command output should display all inline policies associated with the role
{
"PolicyNames": [
"ec2-list-policy"
]
}
c. To delete each policy from the role, enter the following command for each policy:
aws iam delete-role-policy \\
--role-name myec2role \\
--policy-name ec2-list-policy
5. Run delete-role
command to delete the IAM role:
aws iam delete-role \\
--role-name myec2role
6. If you don’t intend to reuse the associated instance profiles, run the delete-instance-profile
command to delete the IAM Instance Profile:
aws iam delete-instance-profile \\
--instance-profile-name myec2role
7. Repeat Steps 1 -6 for each role that you want to delete from your AWS account.
© nOps 2024. All Rights Reserved.