Overview
Identify and safely remove unused AWS IAM Identity Center (AWS SSO) permission sets so your environment stays clean, easier to manage, and aligned with current usage. This plan inventories all SSO permission sets and their assignments, highlights those with no active use, guides you through deciding which ones to delete, and then removes and validates them. It ends with a check to ensure that remaining permission sets are either in active use or intentionally retained for future needs.
Execution Details
Assessment
Inventory AWS SSO instances and permission sets
Start by discovering all AWS IAM Identity Center (SSO) instances in scope and building a complete catalog of their permission sets.
This phase:
- Determines which SSO instances to include (for example, only the organization’s primary instance or all instances in the account).
- Gathers all permission sets in each instance, capturing details such as name, ARN, description, creation and last-modified dates.
- Records any relevant tags (environment, owner, application, compliance flags, etc.).
- Stores this inventory in a structured format (such as a table or JSON) for later analysis.
Enumerate permission set assignments
Next, correlate each permission set with its actual usage across accounts and principals.
This phase:
- Walks through each permission set in the inventory.
- Lists all account assignments, capturing the AWS account ID, principal type (user or group), and principal identifier or name.
- Records supporting metadata such as the related SSO instance, Region, and permission set name.
- Distinguishes permission sets with one or more active assignments from those with no assignments.
- Stores the mapping of permission sets to accounts and principals in a structured format for further evaluation.
Identify unused permission sets
With the inventory and assignment mapping in place, this phase identifies which permission sets are not currently used and are candidates for cleanup.
It:
- Determines permission sets with zero active assignments across all accounts in each SSO instance.
- Excludes permission sets that are tagged or named as protected or reserved (such as core or baseline sets that must be retained).
- Optionally flags newly created or recently modified permission sets with no assignments for separate review (based on a configurable age threshold).
- Produces a candidate list of unused permission sets, including instance, name, ARN, tags, dates, and any flags (protected, recent activity).
- Stores this candidate list in a structured format for your review.
Confirm permission sets to delete (user interaction)
You are then guided through selecting which unused permission sets should actually be removed.
This phase:
- Presents the candidate unused permission sets along with key context: SSO instance, name, ARN, tags, and assignment count (zero).
- Emphasizes permission sets that are marked as protected or were created/modified recently so you can give them extra attention.
- Allows you to choose which unused permission sets to delete and which to keep.
- Lets you mark some unused permission sets as explicit exceptions to retain, optionally capturing rationale.
- Produces and stores a final, user‑approved list of permission sets to delete, including their SSO instance identifiers and ARNs.
Configuration
Delete approved unused permission sets
After confirmation, the plan removes the selected permission sets while performing safety checks.
This phase:
- Uses the user‑approved deletion list as the source of truth.
- Re-validates that each permission set still has no active assignments before deletion; newly used sets are removed from the deletion list and recorded as exceptions.
- Deletes each remaining approved permission set from its corresponding SSO instance.
- Records the result of each deletion, including any errors and reasons for failure.
- Refreshes the permission set list or performs targeted checks to confirm that successfully deleted permission sets are no longer present.
- Produces a summary of which permission sets were deleted and which could not be removed, along with suggested follow‑up where needed.
Validation
Verify permission sets are removed
This phase ensures that all intended deletions actually took effect.
It:
- Retrieves the current permission sets for each SSO instance where deletions were attempted.
- Confirms that each permission set recorded as successfully deleted no longer appears.
- Investigates any permission sets that still exist, clarifying whether deletion failed or was intentionally skipped and referencing any logged error details.
- Documents permission sets that were intended for deletion but remain, including reasons and recommended remediation steps.
- Produces a validation summary listing all permission sets confirmed as removed and those needing further action.
Verify remaining permission sets are in use or intentionally retained
Finally, the plan confirms that the environment is left in a clean, well‑understood state.
This phase:
- Uses the updated inventory and assignment data to identify any remaining permission sets with zero active assignments.
- Compares these to the list of user‑approved exceptions that should be kept for future use.
- Flags any leftover zero‑assignment permission sets not on the exception list as candidates for future cleanup cycles.
- Checks that permission sets with active assignments align with expected naming and tagging conventions where possible.
- Updates documentation or tracking records to reflect which permission sets are in active use, explicitly retained as exceptions, or targeted for later review.
- Produces a final report summarizing the status and intended purpose of all remaining permission sets.