In web console of AWS IAM policies, the option "Delete" out of the "Action" drop down menu is disabled when selecting any managed policy.
In CLI, when trying to delete a managed policy, I got:
$ aws iam delete-policy --policy-arn arn:aws:iam::aws:policy/service-role/AWSQuickSightElasticsearchPolicy
An error occurred (AccessDenied) when calling the DeletePolicy operation: Cannot delete policies outside your own account.
the simple question: is that possible to remove any managed policy from my account? If yes, how?
CodePudding user response:
"Cannot delete policies outside your own account" is telling. The policy-arn parameter has an account ID of aws, which I doubt is one that your authenticated identity can delete. (Unless you authed as Jeff Bezos, LOL.)
To remove a managed policy, the docs say:
- Detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy, DetachGroupPolicy, or DetachRolePolicy.
- Delete all versions of the policy using DeletePolicyVersion.
- Delete the policy (this automatically deletes the policy's default version) using this operation.
My guess is that the Web Console was greyed out because either the policy was attached or because there were versions. Make sure to delete those, per the instructions.
The command line failed because of the given ARN. When doing that last step, make sure to use the account ID for the account holding the managed policy to delete.
CodePudding user response:
No, you cannot delete IAM policies that are managed by AWS. The policy in your example seems to be the one managed by AWS and hence cannot be deleted. You can however delete customer managed IAM policies if you have appropriate permission to do so.