By using AWS re:Post, you agree to the Terms of Use

Identify in-built or default IAM Roles


I am trying to come up with a program to manage or clean up older IAM Roles. In the process I am trying to identify AWS or Amazon created in-built or default IAM Roles. I would like to ignore deleting all such roles. Any pointers how to identify such IAM Roles

  • some sample role I see are like AmazonSSMRoleForInstancesQuickSetup, AmazonEC2RoleforSSM etc.

1 Answer
Accepted Answer

You should definitely check for "aws-reserved" and "aws-service-role" in the ARN of the role you consider deleting. Service-Linked Roles and Roles for SSO will contain these prefixes in their ARN's.

However, I would rather recommend you to attach tags to the roles you create. You can then simply filter your roles by custom tags to make sure you only delete the Roles you created. Implementing Tag policies for your organization, will ensure that certain tags are set(

answered 8 months ago
  • Thanks for the suggestion. We have tagged many IAM Roles, however while practicing or learning some AWS services, there has been no regulation over IAM roles created manually and not been tagged. I see bunch of IAM Roles having ARN: arn:aws:iam::<AccountId>:role/aws-service-role/aws-service-role/ Another pattern I noticed is that all these Roles have Path value /aws-service-role/<service-name> , is this same as the prefix you are referring to as well.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions