Unused IAM Users and Roles are not removed
Description
IAM users and roles in your AWS accounts act as open attack surfaces into the account, and should be kept only when in use to reduce the risk of unauthorized access to AWS resources.
Unused AWS Admins are flagged as a critical finding if they meet one of the following criteria:
- The AWS managed policy arn:aws:iam::aws:policy/AdministratorAccess attached
- A policy with the action "*" on all resources
- A policy with the action "iam:*" on all resources.
We recommend you remove any unused IAM entities to prevent future admins from attaching them to unauthorized users.
Fix - Runtime
CLI Command
Removing unused users and roles reduces the risk of unauthorized access to AWS resources.
To remove an IAM role, use the following command:
aws iam delete-role --role-name <value>