AWS recently added support for detecting unused access granted to IAM roles and users within their AWS IAM Access Analyzer tool. The new analyzer can identify unused roles, unused IAM user access keys and passwords, and unused permissions within a defined usage window. This analysis can be done across accounts within the organization and be controlled from a delegated administrator account.