IAM group without users

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IAM group without users

Metadata

Id: cloudformation-aws-iam-group-without-users

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Access Control

Learn More

Provider Reference

Description

IAM groups should have at least one user assigned so that group permissions are actively used and auditable. Empty groups can hide orphaned or over-permissive permission sets and increase the risk of unintended access if the group is later reused.

This rule checks CloudFormation templates and requires each AWS::IAM::Group to be referenced by at least one AWS::IAM::User via the user’s Groups property. AWS::IAM::Group resources with no such references will be flagged.

If group membership is managed outside CloudFormation (for example, by an external identity provider) or a group is intentionally created empty for future use, document that intent or manage membership through IaC to avoid false positives.

Secure example with a user assigned to the group:

MyGroup:
  Type: AWS::IAM::Group
  Properties:
    GroupName: my-group

AliceUser:
  Type: AWS::IAM::User
  Properties:
    UserName: alice
    Groups:
      - !Ref MyGroup

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::Group
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
        Policies:
        - PolicyName: giveaccesstoqueueonly
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - sqs:*
              Resource:
              - !GetAtt myqueue.Arn
            - Effect: Deny
              Action:
              - sqs:*
              NotResource:
              - !GetAtt myqueue.Arn
    IamUserAdminSample:
      Type: AWS::IAM::User
      Condition: IsSampleIamUser
      Properties:
        UserName: sample-iam-user-admin
        Groups:
        - !Ref 'myuser'

{
  "Description": "A sample template",
  "Resources": {
    "myuserr": {
      "Type": "AWS::IAM::Group",
      "Properties": {
        "Policies": [
          {
            "PolicyName": "giveaccesstoqueueonly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sqs:*"
                  ],
                  "Resource": [
                    "myqueue.Arn"
                  ]
                },
                {
                  "NotResource": [
                    "myqueue.Arn"
                  ],
                  "Effect": "Deny",
                  "Action": [
                    "sqs:*"
                  ]
                }
              ]
            }
          }
        ],
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        }
      }
    },
    "IamUserAdminSample": {
      "Type": "AWS::IAM::User",
      "Condition": "IsSampleIamUser",
      "Properties": {
        "UserName": "sample-iam-user-admin",
        "Groups": [
          "myuserr"
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}

AWSTemplateFormatVersion: "2010-09-09"
Description: A user is attached to the group through a short-form Ref intrinsic
Resources:
  developers:
    Type: AWS::IAM::Group
    Properties:
      Path: "/"
  developerUser:
    Type: AWS::IAM::User
    Properties:
      UserName: developer-user
      Groups:
        - !Ref developers

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template 2
Resources:
    myuseeer:
      Type: AWS::IAM::Group
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
        Policies:
        - PolicyName: giveaccesstoqueueonly
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - sqs:*
              Resource:
              - !GetAtt myqueue.Arn
            - Effect: Deny
              Action:
              - sqs:*
              NotResource:
              - !GetAtt myqueue.Arn
    IamUserAdminSample22:
      Type: AWS::IAM::User
      Condition: IsSampleIamUser
      Properties:
        UserName: sample-iam-user-admin
        Groups:
        - !Ref 'myu2ser'

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "myuseeer2": {
      "Type": "AWS::IAM::Group",
      "Properties": {
        "Policies": [
          {
            "PolicyName": "giveaccesstoqueueonly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sqs:*"
                  ],
                  "Resource": [
                    "myqueue.Arn"
                  ]
                },
                {
                  "Action": [
                    "sqs:*"
                  ],
                  "NotResource": [
                    "myqueue.Arn"
                  ],
                  "Effect": "Deny"
                }
              ]
            }
          }
        ],
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        }
      }
    },
    "IamUserAdminSample222": {
      "Type": "AWS::IAM::User",
      "Condition": "IsSampleIamUser",
      "Properties": {
        "UserName": "sample-iam-user-admin",
        "Groups": [
          "myu2ser"
        ]
      }
    }
  }
}