- Newest
- Most votes
- Most comments
You should definitely check for "aws-reserved" and "aws-service-role" in the ARN of the role you consider deleting. Service-Linked Roles and Roles for SSO will contain these prefixes in their ARN's.
However, I would rather recommend you to attach tags to the roles you create. You can then simply filter your roles by custom tags to make sure you only delete the Roles you created. Implementing Tag policies for your organization, will ensure that certain tags are set(https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html).
Thanks for the suggestion. We have tagged many IAM Roles, however while practicing or learning some AWS services, there has been no regulation over IAM roles created manually and not been tagged. I see bunch of IAM Roles having ARN: arn:aws:iam::<AccountId>:role/aws-service-role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM. Another pattern I noticed is that all these Roles have Path value /aws-service-role/<service-name> , is this same as the prefix you are referring to as well.
Relevant content
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
some sample role I see are like AmazonSSMRoleForInstancesQuickSetup, AmazonEC2RoleforSSM etc.