How to Find and Delete Unused AWS IAM Roles

Learn how to identify and delete unused AWS IAM roles to enhance security and reduce risk. Explore how to remove them automatically with Blink.

Patrick Londa

Author

Nov 10, 2022

•

min read

Share this post

Finding and removing unused IAM roles that are not being actively monitored is a part of best security practices. You can remove the IAM role and its associated permissions as an administrator or developer.

In this guide, we’ll show you how to find unused IAM roles in AWS and remove them.

Blink Automation: Find Unused AWS IAM Roles and Remove with Approval in Slack

AWS + Slack

Get Started

How to Find and Delete Unused IAM Roles

You can find unused IAM roles by either using the AWS Console or the AWS CLI. Let’s start with the Console.

Using the AWS Console:

1. Sign into the AWS IAM console and select Roles from the navigation panel.

2. You can view the Last activity column to sort by the number of days since the role was last used to make an AWS service . If the role has not been used within the tracking period of 400 days, the activity will display None.

AWS IAM roles list — *Source –* *AWS Documentation: Identify Unused IAM Roles*

3. You can learn more about the specific IAM role by clicking into its Summary page. On the Summary page, you will also be able to see Last activity, displaying the date when the role was last used to make an AWS service request.

AWS IAM Role Summary page — *Source –* *AWS Documentation: Identify Unused IAM Roles*

4. Back out to the Roles list. When you are confident that you know which roles you want to remove, check the box next to the unused role you want to delete and hit the Delete button.

Using the AWS CLI:

Here are the steps for finding and deleting unused IAM roles with the AWS CLI:

1. First, you can list all IAM roles using the following command:

aws iam list-roles

You can narrow the targeting by including a page prefix parameter, like this:

aws iam list-roles  --path-prefix </application_alpha/feature_beta/>

Here’s an example output:

{
  "Roles": [
    {
      "AssumeRolePolicyDocument": {
        "Version": "2018-10-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "ec2.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
          }
        ]
      },
      "RoleId": "AROAJ52OTH4H7LEXAMPLE",
      "CreateDate": "2019-05-11T00:02:29Z",
      "RoleName": "feature-a-access",
      "Path": "/",
      "Arn": "arn:aws:iam::123456789012:role/feature-a-access"
    },
    {
      "AssumeRolePolicyDocument": {
        "Version": "2018-09-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "elastictranscoder.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
          }
        ]
      },
      "RoleId": "AROAI4QRP7UFT7EXAMPLE",
      "CreateDate": "2019-05-11T05:01:56Z",
      "RoleName": "feature-b-access",
      "Path": "/",
      "Arn": "arn:aws:iam::123456789012:role/feature-b-access"
    }
  ]
}

Now that you have a list of roles, you can see which ones are or are not being actively used.

2. Use the following command to check the RoleLastUsed, LastUsedDate, and the Region of a given role:

aws iam get-role --role-name <value>

If RoleLastUsed does not contain a value, the role hasn’t been used within 400 days.

3. Get all instance profiles associated with the unused role and remove them.

First, you can run the following command to get a list of all instance profiles associated with the unused role:

aws iam list-instance-profiles-for-role --role-name <role-name>

Once you have the instance profiles, you can run the following command to remove all instance profiles from the unused IAM role:

aws iam remove-role-from-instance-profile --instance-profile-name <instance-profile-name> --role-name <role-name>

4. Get all policies associated with the unused IAM role and delete them.

First, you can use the following command to list all inline policies in the role:

aws iam list-role-policies --role-name <role-name>

Next, you can run the following command to delete those policies from the role:

aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>

5. Use the following command to delete the unused IAM role:

aws iam delete-role --role-name <role-name>

Now, you have cleaned up an unused IAM role in your AWS account.

Remove Unused IAM Roles Automatically with Blink

Running this check for unused IAM roles manually requires time and context-switching. You could try to automate it with a script, but if it breaks, it might need to be rewritten over time.

With Blink, you can easily create an automation that handles this check and sends unused IAM roles to you in a Slack message so you can approve their removal.

Get started with Blink today and strengthen your AWS security today.

Expert Tip

How-To Guides

Set HTTP Redirection Across AWS Application Load Balancers

Learn how to use your load balancer to set a rule for redirecting HTTP traffic to HTTPS in this step-by-step tutorial.

How-To Guides

How to Enforce Labels and Tags Across Your GCP Resources

Learn how to enforce labels and tags across your GCP resources for better organization and cost tracking. Optimize cloud management with our guide.

Company News

Blink Monthly Newsletter December 2022

Stay updated with the Blink newsletter. Read the latest news, featured posts, and expert tips and best practices for common SecOps tasks.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native.  Get modern cloud and security operations today.

Get a Demo