Control: IAM roles that have not been used in 60 days should be removed

Description

This control checks whether the IAM role has been used in 60 days. Unused accounts and roles increase the attack surface area.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_role_unused_60

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_role_unused_60 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when role_last_used_date <= (current_date - interval '60' day) or role_last_used_date is null
      then 'alarm'
    else 'ok'
  end as status,
  case
    when role_last_used_date is null
      then name || ' was never used.'
    else
      name || ' was last used ' || to_char(role_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_date - role_last_used_date) || ' days ago).'
  end as reason
  , account_id
from
  aws_iam_role;

Control: IAM roles that have not been used in 60 days should be removed

Description

Usage

SQL

Tags