IAM Groups

• An IAM Group is a collection of users.
• Group specifies the permission for a collection of users, and it also makes it possible to manage the permissions easily for those users.
• You created a group known as Admin and assigned the permissions to the group that administrators typically need. Any user joins the admin group; then the user will have all the permissions that are assigned to the group. If a new user joins the organization, then he should have administrator privileges, and you can assign the appropriate permissions by adding him to the group. If a person changes his job profile, instead of editing his permissions, you can remove him from a group and add him to the group.

Characteristics of IAM Group

• A group is a collection of users, and a user can also belong to multiple groups.
• Groups cannot be nested, i.e., a group cannot contain another group.
• No default group that automatically includes all the users in AWS account. If you want a group like this, create a group and then add the users in a group.
• There is a limit to the number of groups that you can have and also have a limit to the number of groups that a user can belong to.

Creating a Group (AWS Management Console)

• Sign in to the AWS Management Console by entering your email address and password.
• Open IAM Console
• In the navigation pane, click on the Groups. After clicking on the Group, the screen appears which is shown below:

• Click on the “Create New Group” to create a new group. On clicking on the “Create New Group”, the screen appears shown below:

• In the Group Name box, enter the group name and then click on the Next Step button.
• Select the checkbox next to the policy which you want to use with the group.
• Click on the Next Step button and then click on the Create Group.

Creating a Group (API or CLI)

• Create a Group

CLI Command: 

aws iam create-group

Suppose you create a group whose name is Admin; the following command is used to create a group:

Listing IAM Groups (AWS Management Console)

• Sign in to the AWS Management Console by entering your email address and password.
• Open the IAM Console.
• In the navigation pane, click on the Groups. After clicking on the Groups, the screen appears which is shown below:

The above figure shows that one user exists whose name is MyUser.

Listing IAM Groups to which a user belongs to (AWS Management Console)

• Sign in to the AWS Management Console by entering your email address and password.
• Open the IAM Console.
• In the navigation pane, click on the Users and then click on the User Name.
• Open the Groups section.

Listing IAM Groups (AWS API or CLI)

• List all the groups available in your AWS account

• List all the users that belong to your group

Deleting an IAM Group (AWS Management Console)

• Sign in to the AWS Management Console.
• Open the IAM Console.
• In the navigation pane, click on the Groups.
• Select the checkbox that appears next to the group name.

• Click on the dropdown menu of the GroupActions.

• In the dropdown menu list, click on the Delete Group. After clicking on Delete Group, the screen appears which is shown below:

• Click on Yes, Delete to delete the group.

Delete an IAM Group (AWS CLI or API)

• Remove all the users from the Group.

• Detach the inline policies attached to the group.

• Detach the managed policies attached to the group.

• Delete the group.