AWS-IAM-IAM-Role-Last-Used

Severity : Medium

Description: This control ensures that all IAM roles are used recently and there are no unused roles for for more than 90 days. Removing the unused roles improve the security posture of AWS environments. Additionally, removing unused roles simplify monitoring and auditing efforts by focusing only on roles that are in use. Besides, these roles may have access policies that may allow unintended access to resources to malicious actor.

Remediation Steps:

Perform following to update IAM policy for IAM user :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. On the Left Pane, click on Roles.

4. Check the checkbox of roles reported.

5. Select Delete. In the confirm dialog box, Under confirm deletion enter name of the role.

6. Select Delete.

Important:

• Any application or user may see failure if they try to use the deleted role.

Reference:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-console

• https://aws.amazon.com/blogs/security/identify-unused-iam-roles-remove-confidently-last-used-timestamp