Ensure AWS roles with administrative privileges unused for 90 days are removed
Error: AWS Roles with administrative privileges unused for 90 days are not removed
Bridgecrew Policy ID: BC_AWS_IAM_36
User accounts with administrative privileges unused for 90 days are not removed
IAM users and roles in your AWS accounts act as open attack surfaces into the account, and should be kept only when in use to reduce the risk that a group will be used accidentally to allow unauthorized users to access AWS resources.
Unused AWS Admins are flagged as a critical finding if they meet one of the following criteria:
- The AWS managed policy arn:aws:iam::aws:policy/AdministratorAccess attached
- A policy with the action "*" on all resources
- A policy with the action "iam:*" on all resources.
We recommend you remove any IAM entities with admin privileges and unused to prevent future admins from attaching them to unauthorized users.
Fix - Runtime
To remove a specified IAM user, use the following command:
aws iam delete-user --user-name <value>
To remove a specified IAM role, use the following command:
aws iam delete-role --role-name <value>
Updated 6 months ago