NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now

AWS Remediation Knowledge Base > Security

IAM-001 Unused IAM Role

Reduce your AWS costs by 50% on auto-pilot.
  • Risk-free commitment
  • Management Automatically pause idle resources
  • Automatically automatize your EKS cost
    • Book a Demo › |
    Share
    • Risk level: Medium
    • Rule ID: IAM-001

    AWS Identity and Access Management (IAM) roles are essential to providing permissions to teams and applications using your provisioned AWS infrastructure. As time passes and needs change, some created roles might be left unused in your AWS account. An IAM role is considered unused if there has been no usage/activity for this role in the past 90 days. It is highly recommended to remove these unused roles from your AWS account to prevent unauthorized access.

    This rule can help you with the following:

    Compliance Frameworks

    • SOC 2 Readiness Report
    • HIPAA Readiness Report
    • CIS Readiness Report

    AWS Well-Architected Lens

    • AWS Well-Architected Framework Lens
    • FTR Lens

    To help you identify these unused roles, IAM now reports the last-used timestamp that represents when a role was last used to make an AWS request. You or your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps you improve the security posture of your AWS environments. Additionally, by removing unused roles, you can simplify your monitoring and auditing efforts by focusing only on roles that are in use.

    Audit

    To determine if your AWS IAM users have unnecessary active access keys, perform the following:

    • Using AWS Console

    1. Sign in to the AWS Management Console.

    2. Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.

    3. In the left navigation panel, select **Roles**.

    4. Look for the Last activity column (see screenshot below).

    This column displays the number of days that have passed since each role made an AWS service request. AWS records last-used information for the trailing 400 days. This is referred to as the tracking period.

    5. Sort the column by clicking on it to identify the roles your team has not used recently.

    6. Any role that has Last activity of more than 90 days can be considered unusedFor Examplemyec2role in the screenshot above hasn’t been used for 284 days.
     
    7. Click on the name of the role to view more information. The role Summary page also includes the Last activity, which displays the last used date for the role.

    Note that there are multiple pages, so you may have to click on the top arrows to view the information for all roles.

    8. Any role with Last Activity as Blank (-) (as seen below for aws-glue-rc ) means no activity has been recorded for the past 400 days.

    9. Note the IAM Role Name(s) that meet the criteria as you will need them during the remediation section.

    • Using AWS CLI

    1. Run list-roles command (OSX/Linux/UNIX) to list all IAM roles within your account

    aws iam list-roles \\
--query 'Roles[*].RoleName'

     
    2. The command output should return an array that contains all your IAM role names.

    [
    "aamir-code-pipeline-poc-service-role",
    "aamir-mvn-s3-full-access",
    "abel-cloudfront-role-eki7dzxw",
    "abel-nclouds-role-sa0sujct",
    "Abel-SMS-Role",
    "AbelRole",
    "adamc-1-s3-bucket-admin",
    "adamc-lambda-s3-full-access",
    "adamc-s3-athena-etl",
    "Add-role-i5pyt44v",
    "adminaccesrole",
		...
		"myec2role"
		...
		"yasir-ec2-lambda-role-1a0w5ll6",
    "Yasir-IAM",
    "yasir-java-test-lambda-role-0wrz0ldn",
    "yasir-lambda-snapshot-role-mv24cge9",
    "yasir-s3",
    "yasir-test-java-role-krhi2xsi",
    "yasir-test-subcription-role-vybixbmn",
    "yasir-vpc-flow-logs-role",
    "YewnoPagerdutyMail-role-ivygwb9d"
]

     
    3. Run get-iam-role command (OSX/Linux/UNIX) using the IAM role name that you want to examine as a command parameter to retrieve its information:

    aws iam get-role \\
--role-name myec2role

     
    4. The command output should provide the metadata for the role, including the RoleLastUsed object, as shown below :

    {
    "Role": {
        "Path": "/",
        "RoleName": "myec2role",
        "RoleId": "AROA2DYVJGKZVNFMQD6DB",
        **"Arn": "arn:aws:iam::695292474035:role/myec2role",**
        "CreateDate": "2020-03-26T15:56:36+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "Description": "Allows EC2 instances to call AWS services on your behalf.",
        "MaxSessionDuration": 3600,
        **"RoleLastUsed": {
            "LastUsedDate": "2020-12-17T19:33:50+00:00",
            "Region": "us-east-1"
        }**
    }
}

     
    5. The RoleLastUsed object contains the LastUsedDate and the Region in which the role was last used.
     
    6. If RoleLastUsed is 90 days or more, then the IAM role meets the unused criteria. If RoleLastUsed is present but does not contain a value, then the role has not been used within the tracking period (i.e., last 400 days) and meets the unused criteria.
     
    7. Every IAM role in the AWS account should be examined using steps 3 -6 to determine the usage.

    Remediation / Resolution

    To delete any unused role in your AWS account, perform the following:

    • Using AWS Console

    When you use the AWS Management Console to delete a role, IAM also automatically deletes the policies associated with the role. It also deletes any Amazon EC2 instance profile that contains the role.

    1. Sign in to the AWS Management Console.

    2. Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.

    3. In the left navigation panel, select **Roles**.

    4. Filter the role that you want to delete (see audit section for role selection). You can use the Search bar and type the role initial few letters to filter to the role easily.

    5. Check the box next to the role name you intend to delete.

    6. At the top right corner, click the Delete button to delete the role.

    7. Review the last accessed information in the confirmation dialog prompt. This will help check the active status of the selected roles, i.e., the last time an AWS Service used them.

    a. If you want to proceed, enter the role’s name in the text input field and choose Delete.

    b. If you are sure, you can proceed with the deletion even if the last accessed information is still loading.

    8. Repeat steps 4 -7 for each role that you want to delete from your AWS account.

    • Using AWS CLI

    When you use the AWS CLI to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

    1. Run get-iam-role command (OSX/Linux/UNIX) using the IAM role name that you want to examine as a command parameter to retrieve its information:

    aws iam get-role \\
--role-name myec2role

     
    2. The command output should provide the metadata for the role, including the ARN of the role object as shown below :

    {
    "Role": {
        "Path": "/",
        "RoleName": "myec2role",
        "RoleId": "AROA2DYVJGKZVNFMQD6DB",
        **"Arn": "arn:aws:iam::695292474035:role/myec2role",**
        "CreateDate": "2020-03-26T15:56:36+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "Description": "Allows EC2 instances to call AWS services on your behalf.",
        "MaxSessionDuration": 3600,
        **"RoleLastUsed": {
            "LastUsedDate": "2020-12-17T19:33:50+00:00",
            "Region": "us-east-1"
        }**
    }
}

     
    3. Remove the role from all instance profiles that the role is in.

    a. To list all instance profiles that the role is associated with, enter the following command:

    aws iam list-instance-profiles-for-role \\
--role-name myec2role

    b. The command output should provide all InstanceProfiles that the role is associated with as shown below:

    {
    "InstanceProfiles": [
        {
            "Path": "/",
            **"InstanceProfileName": "myec2role",
            "InstanceProfileId": "AIPA2DYVJGKZ7Z2R7O22U",**
            "Arn": "arn:aws:iam::695292474035:instance-profile/myec2role",
            "CreateDate": "2020-03-26T15:56:39+00:00",
            "Roles": [
                {
                    "Path": "/",
                    "RoleName": "myec2role",
                    "RoleId": "AROA2DYVJGKZVNFMQD6DB",
                    "Arn": "arn:aws:iam::695292474035:role/myec2role",
                    "CreateDate": "2020-03-26T15:56:36+00:00",
                    "AssumeRolePolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Principal": {
                                    "Service": "ec2.amazonaws.com"
                                },
                                "Action": "sts:AssumeRole"
                            }
                        ]
                    }
                }
            ]
        }
    ]
}

    c. To remove the role from an instance profile, enter the following command for each instance profile:

    aws iam remove-role-from-instance-profile \\
--instance-profile-name **myec2role** \\
--role-name **myec2role**

     
    4. To Delete all inline policies that are associated with the role, perform the following:

    a. To list all policies that are in the role, enter the following command:

    aws iam list-role-policies \\
--role-name myec2role

    b. The command output should display all inline policies associated with the role

    {
    "PolicyNames": [
        "ec2-list-policy"
    ]
}

    c. To delete each policy from the role, enter the following command for each policy:

    aws iam delete-role-policy \\
--role-name myec2role \\
--policy-name ec2-list-policy

     
    5. Run delete-role command to delete the IAM role:

    aws iam delete-role \\
--role-name myec2role

     
    6. If you don’t intend to reuse the associated instance profiles, run the delete-instance-profile command to delete the IAM Instance Profile:

    aws iam delete-instance-profile \\
--instance-profile-name myec2role

     
    7. Repeat Steps 1 -6 for each role that you want to delete from your AWS account.

    Still Need Help?

    Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.
    Get Started
    Schedule Demo
    Contact Us

    nOps is an AI-powered FinOps platform that makes it easy manage and optimize your cloud usage, commitments, and spend.

    Products

    Solutions

    Resources

    Company

    Documentation

    © nOps 2024. All Rights Reserved.

    Linkedin-in Youtube Instagram Facebook