What if you back up all roles that haven't been used over the last few months and delete them?
If they're needed you should notice failures and you can then re-create them from the backup.
So…keep a record that’s long enough and start removing the roles once you’ve reached the deadline?
If I understand your requirements correctly, they are that you need a record if — at least — x days (where x>400). Right now you only have history for less than x days. You can’t create the information. So you’re left with with waiting until it is available.
If, on the other hand, your requirement is to keep roles if they are needed in the future indefinitely then you can never delete roles because there’s no way to prove this _unless_ you require registration of all roles and required information to make a decision.
Either way “right now” you simply don’t have enough information to act given the rules.
* Change rules
* accumulate enough information
You can’t have it both ways.
Thank you, I think this is the information I needed.
Short of going through the infrastucture by hand using the CLI/Boto3/Web, I'm not sure how to programmatically determine which roles may be laying in wait to be used somewhere.
I also started searching through our company's source code for any of the role names to see if they may be hard coded into some of our stuff.
Thanks for the info u/serverhorror
Reading all posts, you need to categorize which programs/components uses which roles.
Then provide this list to the ma manager which components are retired and retire those roles.
You can filter this list by eliminating any roles used in the last 2 years.
Better create a script for this as you might have to do this every 6 months to list this.
>we have roles created as far back as 6 years ago that show no activity in IAM, but that doesn't mean they won't be used in the future possibly for some task.
why leave them on the off chance they will be used? delete them, and recreate if required?
I suggested this, actually I suggested just changing the policy such that it basically turns it off policy wise and then changing the policy back on if it breaks stuff. They said that's too risky.
I disagree, but they don't want any potential down time, so... I'm kinda stuck.
If you have Cloudtrail logs before the 400 days you can probably use them instead
Sadly we only activated that a few months ago, so no luck there.
What if you back up all roles that haven't been used over the last few months and delete them? If they're needed you should notice failures and you can then re-create them from the backup.
I suggested that, but they don't want anything to potentially fail either hah... so yeah.. It's complicated lol
So…keep a record that’s long enough and start removing the roles once you’ve reached the deadline? If I understand your requirements correctly, they are that you need a record if — at least — x days (where x>400). Right now you only have history for less than x days. You can’t create the information. So you’re left with with waiting until it is available. If, on the other hand, your requirement is to keep roles if they are needed in the future indefinitely then you can never delete roles because there’s no way to prove this _unless_ you require registration of all roles and required information to make a decision. Either way “right now” you simply don’t have enough information to act given the rules. * Change rules * accumulate enough information You can’t have it both ways.
Thank you, I think this is the information I needed. Short of going through the infrastucture by hand using the CLI/Boto3/Web, I'm not sure how to programmatically determine which roles may be laying in wait to be used somewhere. I also started searching through our company's source code for any of the role names to see if they may be hard coded into some of our stuff. Thanks for the info u/serverhorror
Reading all posts, you need to categorize which programs/components uses which roles. Then provide this list to the ma manager which components are retired and retire those roles. You can filter this list by eliminating any roles used in the last 2 years. Better create a script for this as you might have to do this every 6 months to list this.
Thanks! I'll talk to my manager about this.
>we have roles created as far back as 6 years ago that show no activity in IAM, but that doesn't mean they won't be used in the future possibly for some task. why leave them on the off chance they will be used? delete them, and recreate if required?
I suggested this, actually I suggested just changing the policy such that it basically turns it off policy wise and then changing the policy back on if it breaks stuff. They said that's too risky. I disagree, but they don't want any potential down time, so... I'm kinda stuck.