Unused IAM role more than 90 days

Unused IAM role more than 90 days, or IAM role was not in use at all (if lastUsedDate in null).

Risk Level: Low
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.63
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamRole should not have roleLastUsed.lastUsedDate before(-90,'days')

REMEDIATION

From Portal
Use following steps to identify unused IAM roles from AWS console:

  1. Sign in to the AWS Management Console.
  2. Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.
  3. In the left navigation panel, select Roles.
  4. Look for the Last activity column.
    Note: This column displays the number of days that have passed since each role made an AWS service request. AWS records last-used information for the trailing 400 days. This is referred to as the tracking period.
  5. Sort the column by clicking on it to identify the roles your team has not used recently.
  6. Any role that has Last activity of more than 90 days can be considered unused.
  7. Click on the name of the role to view more information. The role Summary page also includes the Last activity, which displays the last used date for the role.
    Note that there are multiple pages, so you may have to click on the top arrows to view the information for all roles.
  8. Any role with Last Activity as Blank (-) means no activity has been recorded for the past 400 days.

Use following steps to delete the unused roles from AWS console:
Note: Ensure that the rule is necessary and follows the least privilege principle, otherwise consider deleting the role.

  1. Sign in to the AWS Management Console.
  2. Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.
  3. In the left navigation panel, select Roles.
  4. Filter the role that you want to delete. You can use the Search bar and type the role initial few letters to filter to the role easily.
  5. Check the box next to the role name you intend to delete.
  6. At the top right corner, click the Delete button to delete the role.
  7. Review the last accessed information in the confirmation dialog prompt. This will help check the active status of the selected roles, i.e., the last time an AWS Service used them.
    a. If you want to proceed, enter the role's name in the text input field and choose Delete.
    b. If you are sure, you can proceed with the deletion even if the last accessed information is still loading.

From Command Line
Note: When you use the AWS CLI to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

  1. Remove the role from all instance profiles that the role is in.

a. Use the following command to list all instance profiles that the role is associated with.

aws iam list-instance-profiles-for-role --role-name example_role_name

b. Use the following command for each instance profile to remove the role from an instance profile.

aws iam remove-role-from-instance-profile --instance-profile-name profile_name --role-name example_role_name
  1. To Delete all inline policies that are associated with the role, perform the following:
    a. Use the following command to list all policies that are in the role:
aws iam list-role-policies --role-name example_role_name

b. Use the following command for each policy to delete each policy from the role.

aws iam delete-role-policy --role-name example_role_name --policy-name ec2-list-policy
  1. Run delete-role command to delete the IAM role:
aws iam delete-role --role-name example_role_name

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-instance-profiles-for-role.html
  3. https://awscli.amazonaws.com/v2/documentation/api/2.1.30/reference/iam/remove-role-from-instance-profile.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-role-policies.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-role-policy.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-role.html

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset