Logo of Trend Micro

Unused IAM Group

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: IAM-017

Ensure that all the IAM groups within your AWS account are currently used and have at least one user attached. Otherwise, remove any orphaned (unused) IAM groups in order to prevent attaching unauthorized users.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Removing orphaned and unused IAM groups eliminates the risk that a forgotten group will be used accidentally to allow unauthorized users to access AWS resources.

Audit

To determine if each IAM group available in your AWS account has at least one user attached, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Groups.

04 Click on the IAM group name that you want to examine.

05 On the IAM group configuration page, select Users tab.

06 On the Users panel, search for any IAM users attached to the group. If there are no IAM users currently attached, the AWS console will display the following warning message: “This group does not contain any users.”. This means that the selected group is orphaned and most likely not in use anymore. To adhere to IAM security best practices, Cloud Conformity recommends removing any of these orphaned (unused) groups (see Remediation/Resolution section).

07 Repeat steps no. 4 – 6 for each IAM group that you want to examine within your AWS account.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) to list all IAM groups within your account: 

aws iam list-groups
	--query 'Groups[*].GroupName'

02 The command output should return an array which contains the names of your IAM groups: 

[
    "aws-s3-data-managers",
    "aws-ec2-managers",
    ...
    "aws-rds-sql-admins"
]

03 Run get-group command (OSX/Linux/UNIX) using the IAM group name that you want to examine as command parameter to list the users currently attached to the selected group: 

aws iam get-group
	--group-name aws-s3-data-managers

04 The command output should return the selected IAM group metadata (name, ID, users, etc): 

{
    "Group": {
        "CreateDate": "2016-05-19T07:47:30Z",
        "GroupId": "AGPAIXPLN7ULQORAUJPFK",
        "Arn": "arn:aws:iam::123456789012:group/aws-s3-data-managers",
        "GroupName": "aws-s3-data-managers"
    },
    "Users": []
}

If the Users array (highlighted) is empty, i.e. [ ], the IAM group does not have any users attached and most likely is not used anymore. To adhere to IAM security best practices, Cloud Conformity recommends removing any orphaned groups available in your account.

05 Repeat steps no. 3 and 4 for each IAM group that you want to examine.

Remediation / Resolution

To remove all your unused IAM groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Groups.

04 Select the unused IAM group name that you want to remove by clicking the checkbox next to the group name.

05 Click on the Group Actions dropdown button from the IAM dashboard top menu and select the Delete Group action from the list.

06 Inside the Delete Group dialog box, click Yes, Delete button to confirm your action.

07 On the IAM user configuration page, select Permissions tab.

08 Repeat steps no. 4 – 7 for each unused IAM group that you want to remove from your AWS account.

Using AWS CLI

01 Run delete-group command (OSX/Linux/UNIX) to remove any unused IAM groups from your account. Follow the Audit section part II to identify these groups. The next CLI command deletes an IAM group named aws-s3-data-managers from the IAM environment (if successful, the command is not returning an output):

aws iam delete-group
	--group-name aws-s3-data-managers

02 Repeat step no. 1 for each unused IAM group within your AWS account.

References

Publication date May 20, 2016

Related IAM rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Unused IAM Group

Risk level: Low