I'm in the process of cleaning up an old AWS account and I keep finding IAM roles that seem to have no owner. I'm curious to know what the quickest, least labor-intensive methods you've used to identify these 'orphaned' roles. Have you written a script for it, utilized tools like Security Hub, AWS Config, or have a different strategy? I'd love to see any examples or code snippets you might have, as I'm trying to avoid spending another weekend digging through everything manually.
4 Answers
Using tools like Cloud Custodian to automatically tag or remove stale roles could also save you time. It's a handy way to manage resources you don't need anymore without manual effort.
I suggest starting with IAM Access Analyzer for identifying unused access. You could also write a quick script leveraging the "GetRole" API to check properties like 'RoleLastUsed'. Just be cautious about removing roles as they might break existing dependencies, no matter how 'orphaned' they seem.
When you're looking for 'orphaned' roles, it's important to define what that means. For example, are you considering roles that haven't been used in over a year, or roles with no tags pointing to an owning team? The lightest method might be to use AWS's IAM role analyzer, although it's not free. Alternatively, if you have a specific SQL query in mind, using Steampipe could be very effective too!
Using Steampipe sounds interesting! I’ve got a couple of SQL scripts for querying roles, which might help identify stale roles effectively.
It might be worthwhile to approach this from a threat modeling perspective. Identify what threats you're most concerned about, like overly permissive roles that could be exploited. AWS has a good Threat Catalog to help guide your approach and help you find those orphaned roles more defensively.
Exactly! It's so easy to accidentally break things if you're not careful. Those default roles can build up quickly!