Ensure all IAM policies are in use

It is recommended to keep just IAM policies that in used. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Risk Level: Low
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.82
Covered by Spectral: No
Category: Security, Identity, & Compliance


IamPolicy where not arn regexMatch /aws:policy/ should have attachmentCount>0


From Portal
To remove unused IAM policy:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the left navigation pane, click on Policies
  3. For each policy:
  4. Select the policy where : Type = 'Customer managed' and Attached entities ='0'
  5. Click on Action
  6. click on delete

From Command Line
To remove the specified managed policy, run:

aws iam delete-policy --policy-arn POLICY-ARN


  1. https://aws.amazon.com/blogs/security/remove-unnecessary-permissions-in-your-iam-policies-by-using-service-last-accessed-data/
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-delete.html

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset