AWS IAM
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS IAM

      Unused Roles

      This plugin guarantees that IAM roles not utilized are destroyed within the specified time range.

      Risk Level: Medium

      Description: 

      This plugin guarantees that IAM roles not utilized are destroyed within the specified time range. Old access policies that may enable unwanted access of resources if unintentionally associated with new services may have IAM roles that have not been utilized over a lengthy period of time. These jobs are to be removed.

      Configuration Parameters

      IAM Role Last Used Window Threshold: The organization can define the maximum number of days the console can remain unused depending on their service needs. Once the set time period (by default 180 days) is attained an issue is generated.

      About the Service :

      AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

      We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

      Impact : 

      The absence of this plugin can create dangerous impacts. The unused IAM Roles can contain old access policies. These policies can provide unintentional access to malicious users.

      Steps to reproduce :

      1. Login to AWS Management Console.
      2. Navigate to the IAM dashboard.
        https://console.aws.amazon.com/iam 
      3. Click on Roles in the left navigation panel under the Identity and Access Management (IAM) heading
      4. Click on the role you want to examine.
      5. Further, check the Last Activity section. It clearly states that there hasn’t been any activity. This suggests that the role is unused.
      6. Repeat the steps for other roles as well.

      Steps for remediation :

      1. Login to AWS Management Console.
      2. Navigate to the IAM dashboard.
      3. https://console.aws.amazon.com/iam 
      4. Click on Roles in the left navigation panel under the Identity and Access Management (IAM) heading
      5. Click on the role you want to examine.
      6. Further, check the Last Activity section. It clearly states that there hasn’t been any activity. This suggests that the role is unused.
      7. In order to overcome this problem, we will delete the unused roles.
      8. Click on the Delete role button in the top right corner of the selected role.
      9. Repeat the steps for more such unused roles.

      References: