Kata 2: Review unused IAM principals

This kata shows how to identify unused and inactive IAM principals in an AWS account by reviewing the k9 Principals report.

Unused principals expand the attack surface of an AWS account needlessly. These principals provide no utility to the organization and an attacker that gains access may abuse them.

Open the latest k9 resource access audit spreadsheet from the S3 bucket containing your reports (kata 0).

Go to the Principals worksheet and enable filtering for all the columns.

You should see a list of principals like:

Review Principals Last Used in Principals worksheet

The Principal Last Used column reports when the most recent successful authentication event occurred (UTC).  Those events are:

  • IAM user used via the AWS console or an AWS API Access Key
  • IAM role used to invoke an API action

Principal Last Used is blank when AWS has no recorded usage of the principal in the tracking period.  AWS’ tracking period covers the past 400 days for roles and since mid-2015 for users.

Identify Unused IAM Principals

Start by identifying the principals with no recorded use. Filtering the sample’s Principal Last Used column to those that are blank shows:

Filter to unused principals with Principal Last Used=Blank

This excerpt shows several principals with no recorded use of the AWS console or APIs.  These are generally good candidates for removal.

It’s common to see unused service liked roles in a development account.  Developers may have tried a service and then decided not to use it. Identify service roles by checking if a role is defined under the /aws-service-role/$service/ role ARN path.

The k9-policysim user is an interesting corner case.  It’s needed so k9 to simulate access, but shows no usage because it does not invoke any API actions directly.  k9’s activity in monitored accounts appears under the k9-auditor role.

Identify Inactive IAM principals

Now let’s identify inactive IAM principals.  Principal Last Used is a date so you can filter or sort the records.

Filtering the sample for the principals that haven’t been used since Jan 1, 2021 shows:

Filter to inactive principals with Principal Last Used before some time

Most compliance schemes require deactivation of principals after 90 days of inactivity.  k9 gives you an accurate list to review.

Reduce risk to your AWS account by reducing the set of IAM principals to only what the organization needs to function.

Review Questions

Ask these questions during your review:

Q. Does the original use case for this unused principal still exist?

Some principals have no or infrequent usage by design: ‘break glass’ administrators, certain types monitoring, or trial of a new AWS service.  Many unused principals will require some investigation prior to removal.  Record the owner and what application uses the principal as tags for principals that need to stick around.

Q. How often do you expect IAM users to use their credentials?

Consider the difference between a user who infrequently accesses the AWS console and a user who has left the organization.


Once you have completed this kata, you should be able to:

  • identify IAM users and roles that are infrequently or no longer used
  • determine whether that IAM principal still needs to exist
  • kick off the process to remove unnecessary IAM principals

Contact k9 Support ([email protected]) if you have questions, feedback, or would like assistance.