Ensure unused policies are detached from users

Home
»
AWS Documentation
»
IAM
»
Ensure unused policies are detached from users

Unused policies are attached to users

Description

AWS IAM policies define and regulate access permissions for IAM users, roles, and groups within an AWS account.

Policies that are considered not in use can be identified in the following scenarios:

Excessive user policy: A policy is directly attached to an IAM user but is not actively utilized by that user.
Excessive role policy: A policy is directly attached to an IAM role but is not being used by that role.

To mitigate the risk of unauthorized access, it is recommended to track the usage of IAM policies, identifying both active and inactive policies. This proactive monitoring helps prevent accidental misconfigurations that could result in unintended access or privilege escalation within the environment.

Fix - Runtime

CLI command

To detach an unused policy from a role, use the following command:

aws iam detach-role-policy --role-name <value> --policy-arn <value>

To detach an unused policy from a user, use the following command:

aws iam detach-user-policy --user-name <value> --policy-arn <value>