IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended and considered standard security advice to grant these based on the principle of least privilege. In other words, organizations should never grant users, groups, or roles permissions beyond the minimum required to perform a particular task.
Determine what users need to do and then craft policies that let the users perform only those tasks instead of allowing full administrative privileges.
Detach the policy that grants full administrative privileges from users via the AWS Management Console
Step 1. Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
Step 2. In the navigation pane, click on Policies and then search for the policy name found in the audit step.
Step 3. Select the policy that needs to be deleted.
Step 4. In the policy action menu, click on Detach.
Step 5. Select all Users, Groups, and Roles that have this policy attached.
Step 6. Click on Detach Policy.
Step 7. In the policy action menu, click on Detach.
Step 1. Lists all IAM users, groups, and roles that the specified managed policy is attached to. aws iam list-entities-for-policy --policy-arn <policy_arn>
Step 2. Detach the policy from all IAM Users: aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
Step 3. Detach the policy from all IAM Groups: aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
Step 4. Detach the policy from all IAM Roles: aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
Updated 2 months ago