---
title: IAM group without users
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > IAM group without users
---

# IAM group without users

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `f509931b-bbb0-443c-bd9b-10e92ecf2193`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/iam_group_module.html)

### Description{% #description %}

IAM groups should include at least one user to ensure group membership and any attached permissions are intentional, auditable, and not left orphaned.

This rule checks Ansible `amazon.aws.iam_group` and `iam_group` tasks and requires the `users` property to be defined and non-null (a list containing one or more usernames). Resources missing the `users` property or with `users: null` or an empty list are flagged. Either populate the list with the intended usernames or remove unused groups and associated policies.

Secure configuration example:

```
- name: Create developers IAM group with users
  amazon.aws.iam_group:
    name: developers
    users:
      - alice
      - bob
    state: present
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Group3
  iam_group:
    name: testgroup2
    managed_policy:
      - arn:aws:iam::aws:policy/AmazonSNSFullAccess
    users:
      - test_user1
      - test_user2
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Group2
  iam_group:
    name: testgroup2
    managed_policy:
      - arn:aws:iam::aws:policy/AmazonSNSFullAccess
    users:
    state: present
```

```yaml
- name: Group1
  iam_group:
    name: testgroup1
    state: present
```