AWS Security Blog

Review last accessed information to identify unused EC2, IAM, and Lambda permissions and tighten access for your IAM roles

AWS Identity and Access Management (IAM) helps customers analyze access and achieve least privilege. When you are working on new permissions for your team, you can use IAM Access Analyzer policy generation to create a policy based on your access activity and set fine-grained permissions. To analyze and refine existing permissions, you can use last accessed information to identify unused actions in your IAM policies and reduce access. When we launched action last accessed in 2020, we started with S3 management actions to help you restrict access to your critical business data. Now, IAM is extending last accessed information to Amazon Elastic Compute Cloud (Amazon EC2), AWS IAM, and AWS Lambda management actions. This makes it easier for you to analyze access and reduce EC2, IAM, and Lambda permissions by providing the latest timestamp when an IAM user or role accessed an action. Using last accessed information, you can identify unused actions in your IAM policies and tighten permissions confidently.

When teams build on AWS, they routinely use Amazon EC2 and Lambda to provision and manage their workloads, and AWS IAM to grant access. Administrators that manage permissions periodically review access information to ensure they grant just the required permissions. Customers have told us they use IAM service last accessed to remove access to unused services and need additional information to help them determine the action level permissions they can remove without impacting teams. To help with this, IAM reports the latest time when an IAM user or role used EC2, IAM, Lambda, and S3 management actions, so that you can identify unused permissions and reduce access more easily. Using last accessed information, you can now review when your AWS entities accessed specific IAM permissions, and refine access to just the required few permissions. This is also available for EC2 and Lambda, services customers commonly use to run their workloads. You can review the action last accessed information in the IAM console, or programmatically by using the AWS Command Line Interface (AWS CLI) or AWS SDK.

Use AWS Management Console to view action last accessed details

For example, a System Administrator, Nikki Wolf, in your company, Example Corp, is responsible for managing access. She routinely creates IAM roles, to grant access to teams that use AWS to develop applications. She does monthly reviews of the access for various team members in your organization, so she can identify and remove unused permissions, and maintain compliance. To do this, Nikki first reviews sensitive IAM permissions to ensure that all allowed access are required and actively used. Next, she reviews the last accessed timestamp for the EC2, and Lambda actions to which the roles have access, to ensure they have only the required permissions to access and manage their workloads. Nikki then uses the last accessed information to identify unused actions and reduce access to them by updating the policies.

To prepare for the quarterly security review, Nikki wants to remove all unused permissions granted to roles, and starts with the testing team.

To view action last accessed information

  1. In the IAM Console, in the IAM navigation pane, select Roles.
  2. Choose the role to analyze (in this example, Nikki chooses ExampleCorpQA), then select the Access Advisor tab, as shown in Figure 1. This tab displays all the AWS services to which the role has permissions.

    Figure 1: Access Advisor tab – list of AWS services to which the role has permissions

    Figure 1: Access Advisor tab – list of AWS services to which the role has permissions

  3. On the Service list, choose a service from EC2, IAM, Lambda, or S3. In this example, Nikki chooses Amazon EC2.
  4. Under Action, you view all the actions to which the role has permissions, when the role last accessed each action, and the Region used. You can sort the actions by choosing the arrow next to Last accessed. In this example, Nikki sees that the role has used list actions such as DescribeInstances, as shown in Figure 2. She decides to retain these permissions.

    Figure 2: Access Advisor tab – list of EC2 actions accessed recently

    Figure 2: Access Advisor tab – list of EC2 actions accessed recently

  5. To see all the unused actions, choose Last accessed and select Not accessed from the drop down menu. In this example, Nikki notices that the role ExampleCorpQA has unused read and write EC2 permissions, as shown in Figure 3.

    Figure 3: Access Advisor tab – list of EC2 actions not accessed recently

    Figure 3: Access Advisor tab – list of EC2 actions not accessed recently

Because the role hasn’t used any write EC2 actions such as CreateFleet, Nikki updates the policies to remove all the unused permissions, so that ExampleCorpQA works with just the required permissions while accessing EC2. To learn more about updating permissions, see Modifying a role in the AWS IAM User Guide.

AWS started tracking action last accessed information for EC2, IAM, and Lambda on 4/07. As of 4/19, you can review 12 days of access data. That is, any use of the actions in the preceding 12 days will show up with a last accessed timestamp. As this tracking period continues to increase, you can start making permissions decisions that apply to use cases with longer period requirements (for example, when 30 or 90 days is available).

In the example, Nikki notices that many actions show Not accessed in the tracking period, which means that the role did not use the action since AWS started tracking access for the service, action, and Region.

Use AWS CLI to view action last accessed details

You can also use AWS CLI to identify unused permissions. The following are the IAM APIs that enable you to view action last accessed details:

  • generate-service-last-accessed-details: This API generates the service and action last accessed data for an IAM principal (user, role, or group). You need to call this API first to start a job that generates the action last accessed data for a user or role. This API returns a JobID that you will then use with get-service-last-accessed-details to determine the status of the job completion.
  • get-service-last-accessed-details: Call this API to retrieve the service and action last accessed data for a user or role based on the JobID you pass in. This API is paginated at the service level.

Summary

By using last accessed information, you can review access for EC2, IAM, Lambda, and S3 actions, remove unused actions, and reduce permissions for your IAM users and roles. For more information, see Refining permissions in AWS using last accessed information in the AWS IAM User Guide.

If you have feedback about this blog post, submit comments in the Comments section below. If you have questions about this blog post, start a new thread on the IAM forum or contact AWS Support.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Mathangi Ramesh

Mathangi Ramesh

Mathangi is the product manager for AWS Identity and Access Management. She enjoys talking to customers and working with data to solve problems. Outside of work, Mathangi is a fitness enthusiast and a Bharatanatyam dancer. She holds an MBA degree from Carnegie Mellon University.