Ensure IAM groups have at least one IAM User attached

It is recommended that all empty IAM groups will removed. Removing unnecessary IAM groups will reduce the window of opportunity of malicious actor to gain access to resources

Risk Level: Low
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.AWS.IAM.88
Covered by Spectral: No
Category: Security, Identity, & Compliance


IamGroup should not have attachedUsers isEmpty()


From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'User groups'
  3. Select all the empty groups
  4. Click 'Delete'

From Command Line
To remove IAM group, run:

aws iam delete-group --group-name GROUP_NAME


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html
  2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_delete.html

IAM Group

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset