Ensure that there are no orphan in AWS IAM groups

LOW

Description

Empty (orphan) IAM groups should be removed as best practice, as it will reduce the complexity of an environment and allow for better monitoring.

Remediation

In AWS Console -

Sign in to AWS Console and go to the IAM dashboard.
Open Groups from the navigation pane.
Click on the IAM group.
Click on Users in the IAM group configuration page.
If the console says 'This group does not contain any users' make sure to remove the group.

In Terraform -

For each aws_iam_group resource, ensure that there is a corresponding aws_iam_group_membership resource. If there are none, remove the aws_iam_group.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership

Policy Details

Rule Reference ID: AC_AWS_0438

CSP: AWS

Remediation Available: No

Domain: Compliance Validation

Resource: aws_iam_group

Resource Category: Identity and Access Management (IAM)

Resource Type: Policy

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0