aws.iam-group | Detach Managed Policies #7472

joyceol · 2022-06-09T18:19:42Z

joyceol
Jun 9, 2022

Hello,

I'm trying to remove any new groups that is with the AdminstratorAccess attached.

However, I noticed that there ir no specific action for delete managed policies.

I've try to delete the group itself, but I get the error: An error occurred (DeleteConflict) when calling the DeleteGroup operation: Cannot delete entity, must detach all policies first.

The Policy:

policies:
  - name: iam-group-detach-policy
    resource: iam-group
    description: Detach AdministratorAccess policy from new roles
    mode:
        type: cloudtrail
        events:
          - source: iam.amazonaws.com
            event: CreateGroup
            ids: requestParameters.groupName
    filters:
    - type: has-specific-managed-policy
      value: AdministratorAccess
    actions:
      - type: delete

Answered by thisisshi

Jun 14, 2022

thanks for the question, this is actually a enhancement we would need to make to the iam-group resource to add a detach-managed-policies action

View full answer

thisisshi · 2022-06-14T18:02:50Z

thisisshi
Jun 14, 2022
Collaborator

thanks for the question, this is actually a enhancement we would need to make to the iam-group resource to add a detach-managed-policies action

0 replies

matthiasbuchner · 2025-01-22T07:36:14Z

matthiasbuchner
Jan 22, 2025

You can use set-policy

      - type: set-policy
        state: detached
        arn: "*"

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cloud Custodian

aws.iam-group | Detach Managed Policies #7472

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{title}}

Select a reply

Cloud Custodian

aws.iam-group | Detach Managed Policies #7472

joyceol Jun 9, 2022

Replies: 2 comments

thisisshi Jun 14, 2022 Collaborator

matthiasbuchner Jan 22, 2025

joyceol
Jun 9, 2022

thisisshi
Jun 14, 2022
Collaborator

matthiasbuchner
Jan 22, 2025