Identify unused IAM roles easily and remove them confidently by using the last used timestamp

Posted on: Nov 19, 2019

To help you identify unused roles in your AWS accounts, AWS Identity and Access Management (IAM) now reports the latest timestamp when role credentials were used to make an AWS request. This information makes it easier for you or your security teams to identify and analyze unused roles and remove them confidently.  

You can view this timestamp in the IAM console or by using IAM APIs with the AWS Command Line Interface (AWS CLI) or a programmatic client . Role last used information is available in US East (Ohio, N. Virginia), US West (N. California, Oregon), Asia Pacific (Hong Kong, Mumbai, Osaka-local, Seoul, Singapore, Sydney, Tokyo), Canada (Central), EU (London, Frankfurt, Ireland, Paris, Stockholm) and South America (São Paulo) public AWS Regions. To learn more, visit the deleting roles or instance profiles documentation.