Ensure unused policies are detached from groups

Error: Unused policies are attached to groups

Bridgecrew Policy ID: BC_AWS_IAM_42
Severity: MEDIUM

Unused policies are attached to groups


Removing unused IAM groups eliminates the risk that a forgotten group will be used accidentally to allow unauthorized users to access AWS resources. By detaching unused policies we can ensure they cannot be used by unwanted actors to perform manual changes in the account.

We recommend that you track usage and non-usage of policies to prevent any accidental changes that may lead to future unauthorized access.

Fix - Runtime Remediation

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the [Amazon IAM console}(https://console.aws.amazon.com/iam/).
  3. In the navigation pane, choose Groups, Users, or Roles.
  4. From the list, select the name of the group, user, or role that has the policy you want to remove.
  5. Choose the Permissions tab. If you chose Groups, expand the Inline Policies section if necessary.
  6. If in Groups, choose Remove Policy. If in Users or Roles, choose X.

CLI Command

To detach a policy from a group, use the following command:

aws iam detach-group-policy 
--group-name Testers 
--policy-arn arn:aws:iam::123456789012:policy/TesterAccessPolicy```