Skip to content

Unused policies are attached to roles

Description

AWS IAM policies control access permissions for each IAM user, role and group created in your AWS account.

Policies that are not-in-use are defined in the following scenarios:

  • Excessive user policy: checks if a policy is directly attached to a user and isn’t used by that user.
  • Excessive role policy: checks if a policy is directly attached to a role and isn't used by that role.

We recommend that you track usage and non-usage of policies to prevent any accidental changes that may lead to future unauthorized access.

Fix - Runtime Remediation

CLI Command

To detach an unused policy from a role, use the following command:

aws iam detach-role-policy --role-name <value> --policy-arn <value>

To detach an unused policy from a user, use the following command:

aws iam detach-user-policy --user-name <value> --policy-arn <value>