Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused IAM Group

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: IAM-017

Ensure that the Amazon IAM groups created within your AWS cloud account have at least one IAM user attached. Otherwise, remove any orphaned (unused) IAM groups in order to prevent attaching unauthorized IAM users.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Sustainability

Removing orphaned and unused Amazon IAM groups eliminates the risk that a forgotten group will be used accidentally to allow unauthorized users to access AWS services and resources.


Audit

To determine if each IAM group created in your AWS cloud account has at least one IAM user attached, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose User groups.

04 Click on the name (link) of the Amazon IAM group that you want to examine.

05 Select the Users tab and search for any IAM users attached to the selected group. If there are no IAM users attached to the group and the Amazon IAM console shows the following message: No resources to display., the selected IAM group is orphaned and is considered unused.

06 Repeat steps no. 4 and 5 for each Amazon IAM group that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon IAM groups available within your AWS account:

aws iam list-groups
  --output table
  --query 'Groups[*].GroupName'

02 The command output should return a table with the requested IAM group identifiers:

-----------------------------
|        ListGroups         |
+---------------------------+
|  cc-project5-user-group   |
|  cc-ec2-management-group  |
+---------------------------+

03 Run get-group command (OSX/Linux/UNIX) using the name of the Amazon IAM group that you want to examine as the identifier parameter, to list the IAM user(s) attached to the selected group:

aws iam get-group
  --group-name cc-project5-user-group
  --query 'Users'

04 The command output should return the name(s) of the associated IAM user(s):

[]

If the get-group command output returns an empty array (i.e. []), as shown in the example above, there are no IAM users attached to the group, therefore the selected IAM group is orphaned and is considered unused.

05 Repeat steps no. 3 and 4 for each Amazon IAM group that you want to examine, available within your AWS account.

Remediation / Resolution

To remove any unused Amazon IAM groups from your AWS cloud account, perform the following operations:

Using Terraform (AWS Provider)

01 Terraform commands:

    terraform destroy -target aws_iam_group.cc-project5-user-group
    

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose User groups.

04 Select the unused Amazon IAM group that you want to remove.

05 Click on the Delete button from the console top menu to initiate the group removal.

06 Inside the Delete <group-name>? confirmation box, enter the name of the selected group in the text input field, then choose Delete to remove the unused IAM group from your AWS cloud account.

07 Repeat steps no. 4 – 6 for each unused Amazon IAM group that you want to remove from your AWS account.

Using AWS CLI

01 Run delete-group command (OSX/Linux/UNIX) using the name of the unused IAM group that you want to delete as the identifier parameter, to remove the selected Amazon IAM group from your AWS cloud account (if successful, the command does not produce an output):

aws iam delete-group
  --group-name cc-project5-user-group

02 Repeat step no. 1 for each unused Amazon IAM group that you want to remove from your AWS account.

References

Publication date May 20, 2016