Ensure AWS IAM managed policies do not have 'getObject' or full S3 action permissions
Note: AWS managed policies cannot be deleted.
1. Go to 'IAM'
2. In the menu, under 'Access management', choose 'Policies'
3. For each incompliant policy, make sure there are no IAM entities attached to it:
4. Choose the incompliant policy
5. Under 'Policy usage', detach any IAM entity attached to it
From Command Line:
To remove the specified managed policy from a specified user, run:
aws iam detach-user-policy --user-name USER-NAME --policy-arn POLICY-ARN
To remove the specified managed policy from a specified IAM group, run:
aws iam detach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN
To remove the specified managed policy from a specified role., run:
aws iam detach-role-policy --role-name ROLE-NAME --policy-arn POLICY-ARN
Policies and Permissions
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.