Unused IAM Users and Roles are not removed

Description

IAM users and roles within AWS accounts represent potential attack vectors and should be retained only when necessary to minimize the risk of unauthorized access to AWS resources.

Critical Finding:
Unused AWS admin accounts are flagged as a critical security risk if they meet any of the following conditions:

  • The AWS-managed policy arn:aws:iam::aws:policy/AdministratorAccess is attached.
  • A custom policy that grants the action "*" on all resources.
  • A custom policy that grants the action "iam:*" on all resources.

Recommendation:
To mitigate security risks, promptly remove any unused IAM entities, particularly those with administrative privileges, to prevent future misuse by unauthorized users or potential attackers.

Fix - Runtime

CLI command

To detach the policy that has full administrative privileges, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  4. Select the policy to be deleted.
  5. In the Policy Action menu, select first Detach.
  6. Select all Users, Groups, and Roles that have this policy attached.
  7. Click Detach Policy.
  8. In the Policy Action menu, select Detach.
ReLambda