I'm currently cleaning up an old AWS account and I've been running into IAM roles that seem to be unclaimed by anyone. I'm looking for the most efficient way to identify these 'orphaned' roles without burdening myself with too much manual work. Have you written any quick scripts for this? Or do you prefer using AWS tools like Security Hub or Config? I'm open to any suggestions, including code snippets or screenshots, as I want to avoid spending another weekend diving manually into this mess.
2 Answers
First off, it’s important to define what you consider 'orphaned'. Are they unused for over a year, missing tags indicating ownership, or unlinked from any application? For a lightweight approach, AWS has an IAM Access Analyzer, though keep in mind that it might not be free. If you opt for a script, you can leverage the 'GetRole' API to check 'RoleLastUsed'. Just be cautious when deleting roles, as they can have dependencies that might break your infrastructure.
You could also utilize something like Steampipe to run SQL queries for identifying orphaned roles. Plus, tools like Cloud Custodian can help tag stale roles or even remove them if needed.
That’s a great point about dependencies! Many accounts become cluttered with roles that are hardly used, and diving into these might actually save you a ton of trouble down the line.