How to create an IAM Group

An IAM group is nothing but a collection of IAM users. Groups can simplify managing permissions for multiple users. Instead of attaching policies to individual users, they can be attached to a group and the users can be added to the group. In this post I’m going to show you how to create group, attach policy and add users to the group.

On the AWS Management Console homepage, choose IAM service under Recently visited services.

Choose Groups on the left hand navigation pane on the Identity and Access Management page.

As you can see from the below image, I do not have any groups created in my AWS account. Now choose Create New Group.

Provide a value for the Group Name and choose Next. I chose to name my group as DevGroup.

Select all the policies that you would like to attach to the group. I attached AmazonS3ReadOnlyAccess policy to the DevGroup, which means all users that are added to DevGroup will have read access to all S3 buckets and objects. After selecting all the required policies, choose Next Step.

Review the group name and policies and choose Create Group.

Below image shows that I now have DevGroup created. To add users to the group choose Add Users to Group under Group Actions.

Now select all the users that you would like to add to the group and choose Add Users. I have selected user1 to be added to the group.

Let’s assume a scenario where an employee is moved to a different team and you would like to keep the user account but change the permissions for that user. You can simply remove user from the group by choosing Remove Users from Group under Group Actions.

Select all the users that you would like to remove from the group and choose Remove Users.

As you can see from the below image, the user has been removed from the DevGroup and the number of users added to this group is back to 0.

See also  How to list all the IAM groups of your AWS account