Unused policies are attached to users
Description
AWS IAM policies control access permissions for each IAM user, role and group created in your AWS account.
Policies that are not-in-use are defined in the following scenarios:
- Excessive user policy: checks if a policy is directly attached to a user and isn’t used by that user.
- Excessive role policy: checks if a policy is directly attached to a role and isn't used by that role.
We recommend that you track usage and non-usage of policies to prevent any accidental changes that may lead to future unauthorized access.
Fix - Runtime
CLI Command
To detach an unused policy from a role, use the following command:
aws iam detach-role-policy --role-name <value> --policy-arn <value>
To detach an unused policy from a user, use the following command:
aws iam detach-user-policy --user-name <value> --policy-arn <value>