IAM users and roles within AWS accounts represent potential attack vectors and should only be retained while actively in use. This minimizes the risk of these entities being inadvertently leveraged to grant unauthorized access to AWS resources.

AWS Admin entities that are unused are flagged as critical findings if they satisfy any of the following conditions:

1. Attachment of the AWS managed policy arn:aws:iam::aws:policy/AdministratorAccess
2. A custom policy that grants the * action on all resources
3. A custom policy that grants the iam:* action on all resources

To reduce the attack surface and prevent unauthorized privilege escalation, it is recommended to promptly remove any IAM entities with administrative privileges that are no longer in use. This prevents the risk of these entities being re-associated with unauthorized users, thereby safeguarding against unintended escalations of access.