Ensure that deprecated AWS IAM managed policies are replaced with new ones, approved by AWS, in order to avoid any potential security risks associated with the deprecated policies. A managed policy marked as deprecated continues to work for all currently attached IAM users, groups and roles, however, it cannot be attached to any new users, groups or roles and if you detach it from the current IAM entity, you cannot reattach it. Cloud Conformity keeps an up-to-date list of all deprecated AWS IAM managed policies to help you with mitigation.
Continuing to use the deprecated AWS managed policy can carry risks that are mitigated only by switching to the replacement policy. If an IAM user, group or role within your AWS account still requires the deprecated managed policy, follow the steps outlined in Remediation/Resolution section to attach the replacement policy instead. Note: As example, this conformity rule demonstrates how to identify and replace "AmazonElasticTranscoderFullAccess" deprecated policy with a replacement managed policy named "AmazonElasticTranscoder_FullAccess". "AmazonElasticTranscoderFullAccess" managed policy has been marked as deprecated because the policy is potentially granting admin access to self or any other IAM roles, failing to follow the principle of least privilege.
To determine if there are any deprecated IAM managed policies in use within your AWS account, perform the following actions:
To change the deprecated AWS managed policies with their replacement policies within IAM entities configuration, perform the following actions: