1

In AWS there are Service-Linked roles. It looks like over time AWS may have changed their policy regarding how these are identified, and the easiest way I can tell now is by using the Path for each role, with the /aws-service-role indicator in the path.

I am hoping to identify the older Service-Linked roles, but as far as I can tell, one of the only ways to do that is to looke for /service-role (not /aws-service-role) in the Path OR look in the policy to see if the Path for the policy says either /service-role or /aws-service-role

Is this a good way to identify older roles that are service-linked, are there any better ways?

Also what is the difference between /service-role and /aws-service-role in the Path of either the role itself, or the policy attached to it?

I can't find any documentation in AWS around what the difference between the Path may indicate.

glitchwizard
  • 421
  • 1
  • 6
  • 23
  • Why are you trying to do this? Sounds like an https://xyproblem.info – Ermiya Eskandary Oct 25 '21 at 19:54
  • Also what are "older" service linked roles? Can you please provide some examples? – Ermiya Eskandary Oct 25 '21 at 19:56
  • 1
    @ErmiyaEskandary Ultimately we're trying to determine which roles can be removed from our AWS, service-linked roles being one of them. It seems like AWS changed their policy at one point and now automatically created roles have been generated again with newer info, so if there's a way to ID the older-created ones so we can wipe them out with certainty, I'm looking for that. The only way I know how at this point is by looking for them by filtering their `Path` value as stated above. – glitchwizard Oct 25 '21 at 19:58
  • 2
    Your way of checking is the best way then, I don't think they'd be a better way to identify old service-linked roles. However a possible way to satisfy your end goal is to use the last activity timestamp to find unused roles - this [AWS guide](https://aws.amazon.com/blogs/security/identify-unused-iam-roles-remove-confidently-last-used-timestamp/) has more info. Does that help? – Ermiya Eskandary Oct 25 '21 at 20:01
  • @ErmiyaEskandary yeah that helps. We're already identifying roles based on their last used info, but sadly we have many that are past the 400 day window that is tracked by access adviser, so we need a few more criteria (hence this question) I think I should be good to go now though. Thank you! – glitchwizard Oct 25 '21 at 20:06
  • 1
    If past 400, just get rid - don't obsess too much over it, it's not user data and can always be recreated. The fact that they haven't been used means they're not being used by anything - anything that hasn't ran in a year is very unlikely to be mission-critical. – Ermiya Eskandary Oct 25 '21 at 20:08

0 Answers0