Groups Without Users Should Be Removed

More Info:

Empty groups should be cleaned up and should not linger around.

Risk Level

Informational

Address

Security

Compliance Standards

CBP This rule identifies IAM roles that do not require multi-factor authentication (MFA) or external ID for assumed roles. Roles without MFA or external ID can pose security risks, as they may allow unauthorized access or increase the attack surface for potential breaches. Enforcing MFA and external ID requirements adds an additional layer of security to IAM roles and helps prevent unauthorized access.

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent the misconfiguration of having IAM groups without users in AWS using the AWS CLI, you can follow these steps:

List All IAM Groups: Use the following command to list all IAM groups in your AWS account. This will help you identify which groups exist.
```
aws iam list-groups
```
Check Group Membership: For each group, check if there are any users associated with it. Replace <group-name> with the name of the group you want to check.
```
aws iam get-group --group-name <group-name>
```

Automate the Check: Create a script to automate the process of checking each group for users. Here is a simple example in bash:

for group in $(aws iam list-groups --query 'Groups[*].GroupName' --output text); do
    users=$(aws iam get-group --group-name $group --query 'Users' --output text)
    if [ -z "$users" ]; then
        echo "Group $group has no users."
    fi
done

Policy to Prevent Empty Groups: Implement a policy or governance rule within your organization to ensure that IAM groups are regularly audited and empty groups are either populated with users or removed. This can be enforced through periodic reviews and automated scripts.

By following these steps, you can prevent the misconfiguration of having IAM groups without users in AWS using the AWS CLI.

Using Python

To prevent the creation of IAM groups without users in AWS, Azure, and GCP using Python scripts, you can follow these steps:

AWS (Amazon Web Services)

Install Boto3 Library: Ensure you have the Boto3 library installed to interact with AWS services.
```
pip install boto3
```

Create a Python Script to Check and Prevent Empty Groups:

import boto3

iam = boto3.client('iam')

def prevent_empty_groups():
    groups = iam.list_groups()['Groups']
    for group in groups:
        group_name = group['GroupName']
        users = iam.get_group(GroupName=group_name)['Users']
        if not users:
            print(f"Group {group_name} is empty. Please add users or remove the group.")
            # Optionally, you can delete the group here
            # iam.delete_group(GroupName=group_name)

prevent_empty_groups()

Azure (Microsoft Azure)

Install Azure Identity and Management Libraries: Ensure you have the Azure Identity and Management libraries installed.
```
pip install azure-identity azure-mgmt-authorization
```

Create a Python Script to Check and Prevent Empty Groups:

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient

credential = DefaultAzureCredential()
subscription_id = 'your-subscription-id'
client = AuthorizationManagementClient(credential, subscription_id)

def prevent_empty_groups():
    groups = client.groups.list()
    for group in groups:
        group_id = group.id
        members = client.group_members.list(group_id)
        if not list(members):
            print(f"Group {group.display_name} is empty. Please add users or remove the group.")
            # Optionally, you can delete the group here
            # client.groups.delete(group_id)

prevent_empty_groups()

GCP (Google Cloud Platform)

Install Google Cloud IAM Library: Ensure you have the Google Cloud IAM library installed.
```
pip install google-cloud-iam
```

Create a Python Script to Check and Prevent Empty Groups:

from google.cloud import iam_v1

client = iam_v1.IAMClient()

def prevent_empty_groups():
    groups = client.list_groups()
    for group in groups:
        group_name = group.name
        members = client.list_group_members(group_name)
        if not list(members):
            print(f"Group {group.display_name} is empty. Please add users or remove the group.")
            # Optionally, you can delete the group here
            # client.delete_group(group_name)

prevent_empty_groups()

Summary

Install the necessary libraries for AWS, Azure, and GCP.
Create a Python script to list all IAM groups.
Check if each group has users.
Print a warning message if a group is empty, and optionally delete the group.

These scripts will help you prevent the creation of empty IAM groups by checking for users and alerting you if any group is found to be empty.

Additional Reading:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Groups Without Users Should Be Removed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

AWS (Amazon Web Services)

Azure (Microsoft Azure)

GCP (Google Cloud Platform)

Summary

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: