Ensure IAM groups have at least one IAM User attached
It is recommended that all empty IAM groups will removed. Removing unnecessary IAM groups will reduce the window of opportunity of malicious actor to gain access to resources
Risk Level: Low
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.AWS.IAM.88
Category: Security, Identity, & Compliance
GSL LOGIC
IamGroup should not have attachedUsers isEmpty()
REMEDIATION
From Portal
- Go to 'IAM'
- In the menu, under 'Access management', choose 'User groups'
- Select all the empty groups
- Click 'Delete'
From Command Line
To remove IAM group, run:
aws iam delete-group --group-name GROUP_NAME
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_delete.html
IAM Group
An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
Updated over 1 year ago