IAM users and roles in your AWS accounts act as open attack surfaces into the account, and should be kept only when in use to reduce the risk that a group will be used accidentally to allow unauthorized users to access AWS resources.
Unused AWS Admins are flagged as a critical finding if they meet one of the following criteria:
- The AWS managed policy arn:aws:iam::aws:policy/AdministratorAccess attached
- A policy with the action "*" on all resources
- A policy with the action "iam:*" on all resources.
We recommend you remove any IAM entities with admin privileges and unused to prevent future admins from attaching them to unauthorized users.
To remove a specified IAM user, use the following command:
aws iam delete-user --user-name <value>
To remove a specified IAM role, use the following command:
aws iam delete-role --role-name <value>
Updated about 1 year ago