IAM users should be members of at least one group


It is an IAM best practice for permissions to be managed at the group level, and therefore, for policies to be attached to groups - not users. Ensuring that a user belongs to at least one group helps prevent the user’s permissions from being managed separately.

Remediation Steps

AWS Console

Repeat the steps below for each group you want to add a user to:

  • Navigate to IAM.

  • In the left pane, choose Groups and then choose the name of the group you want to add the user to.

  • Choose the Users tab and then choose Add Users to Group.

  • Select the check box next to the users you want to add.

  • Choose Add Users.


To add a user to a group, replace MY_USER_NAME and MY_GROUP_NAME with the name of the desired user and group:

  • aws iam add-user-to-group --user-name MY_USER_NAME --group-name MY_GROUP_NAME


Example Configuration

resource "aws_iam_user" "user" {
  name = "example-user"
  # other required fields here

resource "aws_iam_group" "group" {
  name = "example-group"
  # other required fields here

resource "aws_iam_group_membership" "membership" {
  name = "example-membership"

  users = [

  group = aws_iam_group.group.name