---
title: IAM group without users
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > IAM group without users
---

# IAM group without users

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-iam-group-without-users` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html)

### Description{% #description %}

IAM groups should have at least one user assigned so that group permissions are actively used and auditable. Empty groups can hide orphaned or over-permissive permission sets and increase the risk of unintended access if the group is later reused.

This rule checks CloudFormation templates and requires each `AWS::IAM::Group` to be referenced by at least one `AWS::IAM::User` via the user's `Groups` property. `AWS::IAM::Group` resources with no such references will be flagged.

If group membership is managed outside CloudFormation (for example, by an external identity provider) or a group is intentionally created empty for future use, document that intent or manage membership through IaC to avoid false positives.

Secure example with a user assigned to the group:

```yaml
MyGroup:
  Type: AWS::IAM::Group
  Properties:
    GroupName: my-group

AliceUser:
  Type: AWS::IAM::User
  Properties:
    UserName: alice
    Groups:
      - !Ref MyGroup
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::Group
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
        Policies:
        - PolicyName: giveaccesstoqueueonly
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - sqs:*
              Resource:
              - !GetAtt myqueue.Arn
            - Effect: Deny
              Action:
              - sqs:*
              NotResource:
              - !GetAtt myqueue.Arn
    IamUserAdminSample:
      Type: AWS::IAM::User
      Condition: IsSampleIamUser
      Properties:
        UserName: sample-iam-user-admin
        Groups:
        - !Ref 'myuser'
```

```yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: A user is attached to the group through a short-form Ref intrinsic
Resources:
  developers:
    Type: AWS::IAM::Group
    Properties:
      Path: "/"
  developerUser:
    Type: AWS::IAM::User
    Properties:
      UserName: developer-user
      Groups:
        - !Ref developers
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template 2
Resources:
    myuseeer:
      Type: AWS::IAM::Group
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
        Policies:
        - PolicyName: giveaccesstoqueueonly
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - sqs:*
              Resource:
              - !GetAtt myqueue.Arn
            - Effect: Deny
              Action:
              - sqs:*
              NotResource:
              - !GetAtt myqueue.Arn
    IamUserAdminSample22:
      Type: AWS::IAM::User
      Condition: IsSampleIamUser
      Properties:
        UserName: sample-iam-user-admin
        Groups:
        - !Ref 'myu2ser'
```