Ensure unused policies are detached from users

Error: Unused policies are attached to users

Bridgecrew Policy ID: BC_AWS_IAM_40
Severity: MEDIUM

Unused policies are attached to users

Description

AWS IAM policies control access permissions for each IAM user, role and group created in your AWS account.

Policies that are not-in-use are defined in the following scenarios:

  • Excessive user policy: checks if a policy is directly attached to a user and isn’t used by that user.
  • Excessive role policy: checks if a policy is directly attached to a role and isn't used by that role.

We recommend that you track usage and non-usage of policies to prevent any accidental changes that may lead to future unauthorized access.

Fix - Runtime

CLI Command

To detach an unused policy from a role, use the following command:

aws iam detach-role-policy --role-name <value> --policy-arn <value>

To detach an unused policy from a user, use the following command:

aws iam detach-user-policy --user-name <value> --policy-arn <value>