Ensure there no stale roles with Attached Policies for S3 access

Other Security Rules


Avoid stale roles as these could cause access leakage and uncontrolled manipulation with S3 bucket data, which can lead to ransomware violations.

This rule checks inline policies only. The Attached policies are verified under the respective rule.

Delete stale roles via the AWS Management Console

Step 1. Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

Step 2. In the navigation pane of the IAM console, click on Roles. Then select the check box next to the role name you want to delete, not the name or row itself.

Step 3. For "Role actions" at the top of the page, click on Delete.

Step 4. In the confirmation dialog box, review the last accessed information to see when each of the selected roles last accessed an AWS service. This helps you to confirm whether the role is currently active. If you want to proceed, click on Yes, Delete to submit the service-linked role for deletion.

Step 5. Observe the IAM console notifications to monitor the progress of the service-linked role deletion.

Because the IAM service-linked role deletion is asynchronous, after you submit the role for deletion, the deletion task can succeed or fail.

If the task succeeds, then the role is removed from the list and notification of success appears at the top of the page.

If the task fails, you can click on View details or View Resources from the notifications to learn why the deletion failed. If the deletion fails because the role uses the service's resources, then the notification includes a list of resources, if the service returns that information. You can then clean up the resources and submit the deletion again.