Kloudle
academy

How to delete an IAM Role using AWS CLI

Pragti Chauhan
#aws#roles#cloudsecurity#IAM
Feature image

Introduction

Unused IAM Roles are a security menace and must be periodically reviewed and purged from AWS account. The principle of least access and least privilege must be followed at all times. It is a security best practice to create and have only the roles (with strictly mapped privileges) that are required for the function of the AWS account.

IAM roles should not exist if they are not going to be used. This ensures that the attack surface for the AWS account is reduced. Based on the privileges of the role, an attacker may misuse it to perform privilege escalation via a compute instance and may even compromise the entire AWS account.

In this article we will take a look at how to delete an IAM Role using AWS CLI.

Delete an IAM Role via AWS CLI

Following are the steps to delete an IAM Role using AWS CLI:

  1. List all the roles and select the role to be deleted, also note down its ARN

    aws iam list-roles

    List Roles

  2. (Optional, else skip to step 4) To check role activity, generate service last accessed details and fetch the Job ID of IAM role

    aws iam generate-service-last-accessed-details --arn <role_ARN>

    Role ACtivity

  3. To fetch IAM service last accessed details, run following command and provide the Job ID generated in the previous step

    aws iam get-service-last-accessed-details --job-id <job_id>

    Service Last Accessed

  4. Before deleting the role check if any instance profiles and policies are attached to the role and remove them. To check if the role is attached to an instance profile, run following command

    aws iam list-instance-profiles-for-role --role-name <Role_name>

    Instance Profiles for Roles

  5. If an instance profile is attached to the role, remove it by running the following command

    aws iam remove-role-from-instance-profile --instance-profile-name <Instance_profile_name> --role-name <Role_name>

    Remove Instance Profile

  6. Before deleting the role check the policies attached to the role

    aws iam list-attached-role-policies --role-name <Role_name>

    Attached Role Policies

  7. Detach the policies attached to the role by running the following command

    aws iam detach-role-policy --role-name <Role_name> --policy-arn <Policy_ARN>

    Detach Role Policy

  8. To delete the IAM role, run following command

    aws iam delete-role --role-name <role_name>

    Delete IAM Role

← Back to Academy