Checks whether all RAM user groups have at least one RAM user and at least one attached policy.
Scenarios
Use this rule to detect and clean up unused RAM user groups regularly. Orphaned groups — those with no members or no attached policies — create unnecessary complexity and can expose your account to unintended access configurations. Scheduled to run every 24 hours, this check keeps your RAM structure lean and auditable.
Risk level
Default risk level: low.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
If a RAM user group has at least one RAM user and at least one attached policy, the evaluation result is Compliant.
If a RAM user group has no RAM users, or has no attached policy, the evaluation result is Noncompliant. To fix a noncompliant configuration, see Noncompliance remediation.
Rule details
|
Item |
Description |
|
Rule name |
ram-group-in-use-check |
|
Rule identifier |
ram-group-in-use-check |
|
Tag |
RAM and Group |
|
Automatic remediation |
Not supported |
|
Trigger type |
Periodic execution |
|
Evaluation frequency |
Every 24 hours |
|
Supported resource type |
RAM user |
|
Input parameter |
None |
Noncompliance remediation
Delete the unused RAM user group, or add users and attach a policy to it. For more information, see Delete an invalid RAM user group or Grant permissions to a RAM user group.