There is an IAM group defined without any users in it and therefore unused.


When users leave your organization or services are no longer used, it is important to find the credentials that they were using and ensure that they are no longer operational. Ideally, you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least you should change the credentials so that the former users no longer have access. IAM groups that are defined without any users are unused groups. Of course, the definition of “unused” can vary and usually means a credential that has not been used within a specified period of time. Unused groups can not only add complexity to your environment, they may create a security vulnerability by making it difficult to see if unauthorized privilege has been granted.

Suggested Action

Ensure that groups defined within IAM have active users in them. If the groups don’t have active users or are not being used, delete the unused IAM group. Remove IAM user credentials (that is, passwords, access keys, and groups) that are not needed. For example, an IAM user that is used for an application does not need a password (passwords are necessary only to sign in to AWS websites). Similarly, if a user does not and will never use access keys, there’s no reason for the user to have them. Also, passwords and access keys that have not been used recently might be good candidates for removal.

Tags: iam