Roles or Instance Profiles Deletion

Roles or Instance Profiles Deletion

How to View Role Access?

Date of role’s last activity:

– May not be as that of the last date reported in Access Advisor tab.

– Has the last trial of accessing any service.

Only activity of allowed services by role’s permissions policies will be reported using the Access Advisor tab.

Viewing when role got last used through console:

  1. login to Management Console and head straight to the IAM console using this link https://console.aws.amazon.com/iam/.
  2. From navigation pane, click on Roles.

    Roles or Instance Profiles Deletion - roles

    Roles or Instance Profiles Deletion – roles

  3. Go to the role’s row that you’d like to view, and your results may get narrowed down using the search field. Check Last activitycolumn for checking how many days had the role been last utilized. In case it was not utilized during this tracking period, you will find None displayed in the table.

    Roles or Instance Profiles Deletion - none

    Roles or Instance Profiles Deletion – none

  4. Select the role’s name for the sake of viewing extra info. In Summarypage you will find Last activity having the date when this role had been last utilized. In case in the last 400 days this role had not been utilized, Last activity will show the following: Not accessed in the tracking period.

    Roles or Instance Profiles Deletion - summary

    Roles or Instance Profiles Deletion – summary

Viewing last time a role was used through CLI:

– By running the commend named:  aws iam get-role, you will get info regarding a role, having RoleLastUsed object, which has the Region where role was last utilized and the LastUsedDate. In case RoleLastUsed exists with no value, this will mean that role was not utilized during tracking period.

Viewing last time a role was used through the API:

By calling the operation GetRole you will receive information regarding a role, such as the RoleLastUsed object, which has the Region where role was last utilized and the LastUsedDate. In case RoleLastUsed exists with no value, this will mean that role was not utilized during tracking period.

How to Delete an IAM Role using the Console?

Upon utilizing Management Console for the sake of deleting a role:

– The policies associated with this role are going to get deleted as well.

– Any EC2 instance profile which has this role will also be deleted.

Deleting a role using console

  1. Login to Management Console and head straight to the IAM console using this link https://console.aws.amazon.com/iam/.
  2. From navigation pane, select Roles, and click on the check box located near the role name which you’d like to get deleted.

    Roles or Instance Profiles Deletion - console

    Roles or Instance Profiles Deletion – console

  3. From the top, click on Delete role.

    Roles or Instance Profiles Deletion - delete role

    Roles or Instance Profiles Deletion – delete role

  4. Go over the last accessed service data from confirmation dialog box that displays every selected role had last accessed a service, so that you are capable of confirming if the role is active. In case you’d like to continue, click on the option Yes, Delete. When you are 100% ready to do so, go ahead with deleting it no matter if service last accessed data keeps on loading.

How to Delete an IAM Role using the CLI?

With the CLI, you will need to get the policies that come with the role deleted prior to getting the role deleted.

For deleting the role’s associated instance profile, you will need to get it separately deleted.

Deleting a role using CLI

  1. For listing all the roles found in your account, you can type in this command: (in case you have forgotten the name of the role you want to delete)

$ aws iam list-roles

Inside the list you can find the ARN of every listed role. You will not be needing the ARN but the name of the role, for finding roles with CLI commands. As an example, in case you have an ARN: arn:aws:iam::123456789012:role/myrole, you will need the role name which is myrole.

  1. Get the role removed from every single instance profile it’s in.
    • For the sake of listing every single instance profile which associates with the role, you will need to type the below command:

$ aws iam list-instance-profiles-for-role –role-name role-name

    • For removing role from instance profile, type for every instance profile, the below command:

$ aws iam remove-role-from-instance-profile –instance-profile-name instance-profile-name –role-name role-name

  1. Get every single policy associated with the role deleted.
    • For listing every single policy found in the role, type the below command:

$ aws iam list-role-policies –role-name role-name

    • For deleting every policy in it, type for every policy the below command:

$ aws iam delete-role-policy –role-name role-name –policy-name policy-name

  1. Type the below command for getting the role deleted:

$ aws iam delete-role –role-name role-name

  1. Enter the below command for deleting any unwanted instance profiles which the role was associated with:

$ aws iam delete-instance-profile –instance-profile-name instance-profile-name

How to Delete an IAM Role using API?

For deleting a role with IAM API, you are required to get the policies associated with it deleted.

For deleting the role’s associated instance profile, you are required to get it deleted separately.

Deleting a role using API

  1. ListInstanceProfilesForRole: for listing every single instance profile that contains the role).

RemoveRoleFromInstanceProfile: for removing role from every single instance profile it’s in (pass name of role +name of instance profile.

DeleteInstanceProfile: for deleting an unwanted instance profile associated with this role.

  1. ListRolePolicies: for listing every single policy for a role.

DeleteRolePolicy: for deleting every single policy associated with this role. (pass name of role + name of policy.

  1. Get DeleteRolecalled for the sake of deleting this role.

EC2 placement groups