All Products
Search
Document Center

Cloud Config:ram-group-in-use-check

Last Updated:Jun 10, 2026

Checks whether all RAM user groups have at least one RAM user and at least one attached policy.

Scenarios

Use this rule to detect and clean up unused RAM user groups regularly. Orphaned groups — those with no members or no attached policies — create unnecessary complexity and can expose your account to unintended access configurations. Scheduled to run every 24 hours, this check keeps your RAM structure lean and auditable.

Risk level

Default risk level: low.

When you apply this rule, you can change the risk level based on your business requirements.

Compliance evaluation logic

  • If a RAM user group has at least one RAM user and at least one attached policy, the evaluation result is Compliant.

  • If a RAM user group has no RAM users, or has no attached policy, the evaluation result is Noncompliant. To fix a noncompliant configuration, see Noncompliance remediation.

Rule details

Item

Description

Rule name

ram-group-in-use-check

Rule identifier

ram-group-in-use-check

Tag

RAM and Group

Automatic remediation

Not supported

Trigger type

Periodic execution

Evaluation frequency

Every 24 hours

Supported resource type

RAM user

Input parameter

None

Noncompliance remediation

Delete the unused RAM user group, or add users and attach a policy to it. For more information, see Delete an invalid RAM user group or Grant permissions to a RAM user group.