CloudAgent gives you AI agents that manage your cloud infrastructure. They handle tasks like security compliance, cost optimization, deployments, and monitoring. You remain in control as agents show you their plans, wait for your approval, then execute. Think of it as having a cloud operations team that works 24/7 without needing to hire an army of cloud experts.

How can AI agents be trusted with production cloud infrastructure?

You stay in control through approval workflows where every infrastructure change can require human approval before execution, custom security controls with granular access rules, complete audit trails of every action, self-hosted deployment options, and progressive trust models starting with read-only access.

How does it actually reduce costs?

CloudAgent agents delete unused resources, schedule non-production shutdowns, right-size infrastructure based on usage patterns, and recommend architectural optimizations. Early customers report 15-40% cost reduction within 90 days. Unlike dashboards, CloudAgent actually fixes the problems.

1. Assessment

List IAM groups and identify current user and role memberships
Identify IAM groups with no users or roles attached
User: Review empty IAM groups and confirm which are unused and can be deleted

2. Configuration

Delete IAM groups that are confirmed as unused and have no members

3. Validation

Confirm that only approved unused IAM groups were deleted and no required groups are missing

1 Credits

Identify and Clean Up Unused IAM Groups

Overview

Clean up unused IAM groups to reduce security risk and simplify identity management. This plan helps you discover IAM groups that have no members, review whether they are truly unused, safely delete only those that are approved, and then verify that no required groups were removed.

You will first build an inventory of IAM groups and their memberships, then identify groups with no users or associated roles. The plan guides you through reviewing these “empty” groups, deciding whether they should be deleted or retained, and finally performing and validating the deletions with clear reporting at each stage.

Execution Details

Assessment

In the Assessment phase, you build a complete picture of IAM groups in scope:

List IAM groups and memberships
Enumerate IAM groups across the selected AWS accounts and record key details such as group name, ARN, path, creation date, and any attached or inline policies. For each group, capture which IAM users are members and note any associations with IAM roles (using tags, naming conventions, or documentation where applicable). All of this information is stored in a structured format for later analysis.
Identify empty IAM groups
Using the inventory, evaluate each group’s membership to find those with zero users and zero associated roles. For these empty groups, capture additional context such as attached and inline policies and relevant tags (e.g., Environment, Application, Owner). The result is a structured list of candidate empty groups for you to review and approve for deletion.
User: Review empty groups and confirm which are unused
Present the consolidated list of empty IAM groups and guide you through reviewing their intended purpose based on name, tags, and known usage. You classify each group as approved for deletion, to be retained, or requiring further investigation. Reasons for retaining or investigating a group are documented, and a finalized, user-approved list of groups to delete is produced for the next phase.

Configuration

In the Configuration phase, you carry out the clean‑up of unused groups:

Delete IAM groups confirmed as unused and empty
Start from the user-approved deletion list and recheck each group to ensure it still has no users or associated roles. Any group that has gained members is removed from the deletion list and flagged for follow‑up. For groups that remain empty and approved, detach managed policies and remove inline policies as needed, then delete the groups. Any failures or unexpected dependencies are logged with details. Afterward, re-enumerate IAM groups in affected accounts to confirm the targeted groups are gone and no other groups were removed. A configuration summary is generated, listing successful deletions, failures (with reasons), and confirmation that only approved unused groups were targeted.

Validation

In the Validation phase, you confirm the environment is consistent and no required groups are missing:

Confirm only approved unused IAM groups were deleted
Compare the final approved deletion list with the groups reported as deleted, and re-enumerate all IAM groups in the in-scope accounts. Verify that every group marked as deleted no longer appears, and that no additional groups outside the approved list have been removed. Any discrepancies—such as groups that should have been deleted but still exist, or groups deleted without approval—are documented with impacted accounts, group identifiers, and suggested remediation. A final validation report summarizes which empty groups were successfully removed, which could not be deleted and why, and confirms that no required IAM groups are missing.