Unused IAM Group
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that all the IAM groups within your AWS account are currently used and have at least one user attached. Otherwise, remove any orphaned (unused) IAM groups in order to prevent attaching unauthorized users.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Removing orphaned and unused IAM groups eliminates the risk that a forgotten group will be used accidentally to allow unauthorized users to access AWS resources.
To determine if each IAM group available in your AWS account has at least one user attached, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel, choose Groups.
04 Click on the IAM group name that you want to examine.
05 On the IAM group configuration page, select Users tab.
06 On the Users panel, search for any IAM users attached to the group. If there are no IAM users currently attached, the AWS console will display the following warning message: “This group does not contain any users.”. This means that the selected group is orphaned and most likely not in use anymore. To adhere to IAM security best practices, Cloud Conformity recommends removing any of these orphaned (unused) groups (see Remediation/Resolution section).
07 Repeat steps no. 4 – 6 for each IAM group that you want to examine within your AWS account.
01 Run list-groups command (OSX/Linux/UNIX) to list all IAM groups within your account:
aws iam list-groups --query 'Groups[*].GroupName'
02 The command output should return an array which contains the names of your IAM groups:
[
"aws-s3-data-managers",
"aws-ec2-managers",
...
"aws-rds-sql-admins"
]
03 Run get-group command (OSX/Linux/UNIX) using the IAM group name that you want to examine as command parameter to list the users currently attached to the selected group:
aws iam get-group --group-name aws-s3-data-managers
04 The command output should return the selected IAM group metadata (name, ID, users, etc):
{
"Group": {
"CreateDate": "2016-05-19T07:47:30Z",
"GroupId": "AGPAIXPLN7ULQORAUJPFK",
"Arn": "arn:aws:iam::123456789012:group/aws-s3-data-managers",
"GroupName": "aws-s3-data-managers"
},
"Users": []
}
05 Repeat steps no. 3 and 4 for each IAM group that you want to examine.
To remove all your unused IAM groups, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel, choose Groups.
04 Select the unused IAM group name that you want to remove by clicking the checkbox next to the group name.
05 Click on the Group Actions dropdown button from the IAM dashboard top menu and select the Delete Group action from the list.
06 Inside the Delete Group dialog box, click Yes, Delete button to confirm your action.
07 On the IAM user configuration page, select Permissions tab.
08 Repeat steps no. 4 – 7 for each unused IAM group that you want to remove from your AWS account.
01
Run delete-group command (OSX/Linux/UNIX) to remove any unused IAM groups from your account. Follow the Audit section part II to identify these groups. The next CLI command deletes an IAM group named aws-s3-data-managers from the IAM environment (if successful, the command is not returning an output):
aws iam delete-group --group-name aws-s3-data-managers
02 Repeat step no. 1 for each unused IAM group within your AWS account.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat