Open menu
-->

Unused AWS IAM Groups

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: Low (generally tolerable level of risk)

Ensure that all the IAM groups within your AWS account are currently used and have at least one user attached. Otherwise, remove any orphaned (unused) IAM groups in order to prevent attaching unauthorized users.

This rule resolution is part of the Cloud Conformity Security Package

Removing orphaned and unused IAM groups eliminates the risk that a forgotten group will be used accidentally to allow unauthorized users to access AWS resources.

Audit

To determine if each IAM group available in your AWS account has at least one user attached, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Groups.

04 Click on the IAM group name that you want to examine.

05 On the IAM group configuration page, select Users tab.

06 On the Users panel, search for any IAM users attached to the group. If there are no IAM users currently attached, the AWS console will display the following warning message: “This group does not contain any users.”. This means that the selected group is orphaned and most likely not in use anymore. To adhere to IAM security best practices, Cloud Conformity recommends removing any of these orphaned (unused) groups (see Remediation/Resolution section).

07 Repeat steps no. 4 – 6 for each IAM group that you want to examine within your AWS account.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) to list all IAM groups within your account:

aws iam list-groups
	--query 'Groups[*].GroupName'

02 The command output should return an array which contains the names of your IAM groups:

[
    "aws-s3-data-managers",
    "aws-ec2-managers",
    ...
    "aws-rds-sql-admins"
]

03 Run get-group command (OSX/Linux/UNIX) using the IAM group name that you want to examine as command parameter to list the users currently attached to the selected group:

aws iam get-group
	--group-name aws-s3-data-managers

04 The command output should return the selected IAM group metadata (name, ID, users, etc):

{
    "Group": {
        "CreateDate": "2016-05-19T07:47:30Z",
        "GroupId": "AGPAIXPLN7ULQORAUJPFK",
        "Arn": "arn:aws:iam::123456789012:group/aws-s3-data-managers",
        "GroupName": "aws-s3-data-managers"
    },
    "Users": []
}

If the Users array (highlighted) is empty, i.e. [ ], the IAM group does not have any users attached and most likely is not used anymore. To adhere to IAM security best practices, Cloud Conformity recommends removing any orphaned groups available in your account.

05 Repeat steps no. 3 and 4 for each IAM group that you want to examine.

Remediation / Resolution

To remove all your unused IAM groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Groups.

04 Select the unused IAM group name that you want to remove by clicking the checkbox next to the group name.

05 Click on the Group Actions dropdown button from the IAM dashboard top menu and select the Delete Group action from the list.

06 Inside the Delete Group dialog box, click Yes, Delete button to confirm your action.

07 On the IAM user configuration page, select Permissions tab.

08 Repeat steps no. 4 – 7 for each unused IAM group that you want to remove from your AWS account.

Using AWS CLI

01 Run delete-group command (OSX/Linux/UNIX) to remove any unused IAM groups from your account. Follow the Audit section part II to identify these groups. The next CLI command deletes an IAM group named aws-s3-data-managers from the IAM environment (if successful, the command is not returning an output):

aws iam delete-group
	--group-name aws-s3-data-managers

02 Repeat step no. 1 for each unused IAM group within your AWS account.

References

Publication date May 20, 2016