How to Find and Delete Unused AWS IAM Roles

Learn how to identify and delete unused AWS IAM roles to enhance security and reduce risk. Explore how to remove them automatically with Blink.

Patrick Londa
Author
Nov 10, 2022
 • 
5
 min read
Share this post

Finding and removing unused IAM roles that are not being actively monitored is a part of best security practices. You can remove the IAM role and its associated permissions as an administrator or developer.

In this guide, we’ll show you how to find unused IAM roles in AWS and remove them.

aws logo
slack logo
Blink Automation: Find Unused AWS IAM Roles and Remove with Approval in Slack
AWS + Slack
Get Started

How to Find and Delete Unused IAM Roles

You can find unused IAM roles by either using the AWS Console or the AWS CLI. Let’s start with the Console.

Using the AWS Console:

1. Sign into the AWS IAM console and select Roles from the navigation panel.

2. You can view the Last activity column to sort by the number of days since the role was last used to make an AWS service . If the role has not been used within the tracking period of 400 days, the activity will display None.

AWS IAM roles list
Source – AWS Documentation: Identify Unused IAM Roles

3. You can learn more about the specific IAM role by clicking into its Summary page. On the Summary page, you will also be able to see Last activity, displaying the date when the role was last used to make an AWS service request.

AWS IAM Role Summary page
Source – AWS Documentation: Identify Unused IAM Roles

4. Back out to the Roles list. When you are confident that you know which roles you want to remove, check the box next to the unused role you want to delete and hit the Delete button.

Using the AWS CLI:

Here are the steps for finding and deleting unused IAM roles with the AWS CLI:

1. First, you can list all IAM roles using the following command

aws iam list-roles

You can narrow the targeting by including a page prefix parameter, like this: 

aws iam list-roles  --path-prefix </application_alpha/feature_beta/>

Here’s an example output:

{
  "Roles": [
    {
      "AssumeRolePolicyDocument": {
        "Version": "2018-10-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "ec2.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
          }
        ]
      },
      "RoleId": "AROAJ52OTH4H7LEXAMPLE",
      "CreateDate": "2019-05-11T00:02:29Z",
      "RoleName": "feature-a-access",
      "Path": "/",
      "Arn": "arn:aws:iam::123456789012:role/feature-a-access"
    },
    {
      "AssumeRolePolicyDocument": {
        "Version": "2018-09-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "elastictranscoder.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
          }
        ]
      },
      "RoleId": "AROAI4QRP7UFT7EXAMPLE",
      "CreateDate": "2019-05-11T05:01:56Z",
      "RoleName": "feature-b-access",
      "Path": "/",
      "Arn": "arn:aws:iam::123456789012:role/feature-b-access"
    }
  ]
}

Now that you have a list of roles, you can see which ones are or are not being actively used.

2. Use the following command to check the RoleLastUsed, LastUsedDate, and the Region of a given role:

aws iam get-role --role-name <value>

If RoleLastUsed does not contain a value, the role hasn’t been used within 400 days.

3. Get all instance profiles associated with the unused role and remove them.

First, you can run the following command to get a list of all instance profiles associated with the unused role:

aws iam list-instance-profiles-for-role --role-name <role-name>

Once you have the instance profiles, you can run the following command to remove all instance profiles from the unused IAM role:

aws iam remove-role-from-instance-profile --instance-profile-name <instance-profile-name> --role-name <role-name>

4. Get all policies associated with the unused IAM role and delete them.

First, you can use the following command to list all inline policies in the role:

aws iam list-role-policies --role-name <role-name>

Next, you can run the following command to delete those policies from the role:

aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>

5. Use the following command to delete the unused IAM role:

aws iam delete-role --role-name <role-name> 

Now, you have cleaned up an unused IAM role in your AWS account.

Remove Unused IAM Roles Automatically with Blink

Running this check for unused IAM roles manually requires time and context-switching. You could try to automate it with a script, but if it breaks, it might need to be rewritten over time.

With Blink, you can easily create an automation that handles this check and sends unused IAM roles to you in a Slack message so you can approve their removal.

Get started with Blink today and strengthen your AWS security today.