IAM users and roles in your AWS accounts act as open attack surfaces into the account, and should be kept only when in use to reduce the risk that a group will be used accidentally to allow unauthorized users to access AWS resources.
Unused AWS Admins are flagged as a critical finding if they meet one of the following criteria:
- The AWS managed policy arn:aws:iam::aws:policy/AdministratorAccess attached
- A policy with the action "*" on all resources
- A policy with the action "iam:*" on all resources.
We recommend you remove any IAM entities unused for 90 days to prevent future admins from attaching them to unauthorized users.
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon IAM console and select Users.
- Find the user(s) to delete and select the checkbox next to each one. (You may wish to confirm the "last activity" date before deleting the user.)
- Click Delete User.
To remove an unused user, use the following command:
aws iam delete-user --user-name <value>
Updated about 2 years ago