AWS Console - Find and remove unused IAM roles

Question

I have been messing around Amazon Web Services(AWS) with one single account for quite a while. I created and removed several EC2 instances, Lamdbda functions, NAT gateways etc.

Through all those, I created too many new roles and now, after settling down the stuff I ended up with a garbage of IAM roles -there are many of them.

To clean up, I want to find the roles that are not attached to any kind of item, resource or user (or idle for a period maybe, etc.) and remove them.

I searched the net but generally there are docs to reduce permissions of a particular role, which's fine but not the thing I want.

This sounds exactly like something the Aws cli or BOTO3 python SDK was built for. — caterpree, Dec 13 '18 at 08:45

ben5556 · Accepted Answer · 2018-12-08T10:59:49.667

1

Login to AWS Management Console

Select your IAM role

Click the "Access Advisor" tab

The contents of this tab will display the last access time for each of the various services (S3, EC2, etc.)

Delete the role based on the last access time. Active roles should usually show recent access time

To be able to do it programmatically see https://stackoverflow.com/a/46815052/7983309

edited Dec 08 '18 at 10:59

answered Dec 08 '18 at 10:53

ben5556

2,915
2
11
16

The link and the *access advisor* are precious, thanks for them. Yet, access advisor seems to require selecting roles one by one. Going to have a look for the programmatic way if it brings up **a list** of roles ordered somehow in a useful manner. – vahdet Dec 08 '18 at 11:37

AWS Console - Find and remove unused IAM roles

1 Answers1