Ensure that the Amazon IAM groups created within your AWS cloud account have at least one IAM user attached. Otherwise, remove any orphaned (unused) IAM groups in order to prevent attaching unauthorized IAM users.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Removing orphaned and unused Amazon IAM groups eliminates the risk that a forgotten group will be used accidentally to allow unauthorized users to access AWS services and resources.
Audit
To determine if each IAM group created in your AWS cloud account has at least one IAM user attached, perform the following operations:
Remediation / Resolution
To remove any unused Amazon IAM groups from your AWS cloud account, perform the following operations:
References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- Security best practices in IAM
- AWS Security Audit Guidelines
- Listing IAM user groups
- Deleting an IAM user group
- AWS Command Line Interface (CLI) Documentation
- iam
- list-groups
- get-group
- delete-group
- Terraform Documentation
- AWS Provider