Ensure unused policies are detached from roles
Error: Unused policies are attached to roles
Bridgecrew Policy ID: BC_AWS_IAM_41
Unused policies are attached to roles
AWS IAM policies control access permissions for each IAM user, role and group created in your AWS account.
Policies that are not-in-use are defined in the following scenarios:
- Excessive user policy: checks if a policy is directly attached to a user and isn’t used by that user.
- Excessive role policy: checks if a policy is directly attached to a role and isn't used by that role.
We recommend that you track usage and non-usage of policies to prevent any accidental changes that may lead to future unauthorized access.
Fix - Runtime Remediation
To detach an unused policy from a role, use the following command:
aws iam detach-role-policy --role-name <value> --policy-arn <value>
To detach an unused policy from a user, use the following command:
aws iam detach-user-policy --user-name <value> --policy-arn <value>
Updated over 1 year ago