Get a free AWS Well-Architected Assessment ->

IAM Group

Amazon Web Services

•

Permissions

An IAM group is a collection of multiple IAM users, that let you easily grant, change, and remove permissions to those users at the same time. Changes in permissions made to a group affect each individual user within that group making it easier to manage.

Terraform Name

terraform

aws_iam_group

IAM Group

attributes:

‍name - (Required) The group's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins".
path - (Optional, default "/") Path in which to create the group.

‍

Associating resources with a

IAM Group

Resources do not "belong" to a

IAM Group

Rather, one or more Security Groups are associated to a resource.

Create

IAM Group

via Terraform:

The following HCL creates an IAM group

Syntax:

resource "aws_iam_group" "developers" {
name = "developers"
path = "/users/"
}

‍

Create

IAM Group

via CLI:

Parametres:

create-group
[--path <value>]
--group-name <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam create-group --group-name Admins

aws cost

Costs

The cost of using Identity and Access Management (IAM) features is free, as it is included in the overall cost of using Amazon Web Services (AWS). There are no charges for creating or using IAM users, groups, roles, or policies. However, some AWS services, such as Amazon S3 or Amazon EC2, may incur charges for using IAM features, such as creating an IAM role to access an Amazon S3 bucket or an Amazon EC2 instance.

Direct Cost

--

Indirect Cost

No items found.

Best Practices for

IAM Group

Categorized by Availability, Security & Compliance and Cost

Medium

AMI (Amazon Machine Images) not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

AMI (Amazon Machine Images) not in use (12 months)

AWS Cost Optimization

AWS Well-Architected Framework

High

AWS Config configuration changes alarm

Security & Compliance

AWS Well-Architected Framework

Low

Access allowed from VPN

Security & Compliance

No items found.

Low

Auto Scaling Group not in use

Other

No items found.

Low

CloudTrail changes alarm

Security & Compliance

Medium

Connections towards DynamoDB should be via VPC endpoints

Security & Compliance

No items found.

Medium

Connections towards S3 should be via VPC endpoint

Security & Compliance

Medium

Container in CrashLoopBackOff state

Availability

No items found.

Low

Cross peering connectivity is allowed by EC2

Security & Compliance

Low

Cross peering connectivity is allowed by ECS Task

Security & Compliance

Low

Cross peering connectivity is allowed by Lambda

Security & Compliance

Low

Cross peering connectivity is allowed by Pod

Security & Compliance

Low

Cross transit connectivity is allowed by EC2

Security & Compliance

Low

Cross transit connectivity is allowed by ECS

Security & Compliance

Low

Cross transit connectivity is allowed by Lambda

Security & Compliance

Low

Cross transit connectivity is allowed by Pod

Security & Compliance

Medium

DynamoDB tables not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

EBS snapshots not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

EBS volume not in use

AWS Cost Optimization

AWS Well-Architected Framework

Low

EC2 large instance create alarm

Security & Compliance

AWS Well-Architected Framework

Medium

EC2 should have a name set

Other

Critical

EC2 with Admin access (*:*)

Security & Compliance

Low

EC2 with GPU capabilities

AWS Cost Optimization

No items found.

Medium

EC2 with high privileged policies

Security & Compliance

No items found.

Medium

ECS cluster delete alarm

Availability

No items found.

Critical

ECS task with Admin access (*:*)

Security & Compliance

Medium

ECS task with high privileged policies

Security & Compliance

No items found.

Critical

EKS cluster delete alarm

Availability

No items found.

Medium

AWS Cost Optimization

AWS Well-Architected Framework

Medium

ElastiCache cluster delete alarm

Availability

No items found.

Medium

Elastic IP not in use

AWS Cost Optimization

AWS Well-Architected Framework

Low

Ensure API Gateway has Content Encoding feature enabled

Other

Medium

Ensure AWS Config is configured to include global resources

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure AWS EKS cluster has secrets encryption enabled

Security & Compliance

Medium

Ensure Amazon MQ broker instances are using desired instance types

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled

Security & Compliance

Low

Ensure Amazon MQ brokers Log Exports feature is enabled

Security & Compliance

Medium

Ensure Amazon MQ brokers are not publicly accessible

Security & Compliance

Critical

Ensure Amazon MQ brokers are not publicly accessible

Security & Compliance

Low

Ensure Amazon MQ brokers are using the active/standby deployment mode

Availability

AWS Well-Architected Framework

Low

Ensure Amazon MQ brokers are using the latest engine version

Security & Compliance

Medium

Ensure Amazon SageMaker Notebook Instance is in VPC

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure Application Load Balancer (ALB) has access logging enabled

Security & Compliance

No items found.

Medium

Ensure Application Load Balancers (ALB) are configured to drop HTTP headers

Security & Compliance

AWS Foundational Security Best Practices Controls

Low

Ensure Auto-Tune feature is enabled in OpenSearch clusters

Other

No items found.

Medium

Ensure CloudFormation stacks Termination Protection feature is enabled

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFormation stacks are sending event notifications to an SNS topic

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFront distribution enforce HTTPS protocol for data in-transit

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2

Security & Compliance

Medium

Ensure CloudFront has WAF attached

Security & Compliance

AWS Foundational Security Best Practices Controls

Medium

Ensure CloudFront web distributions are configured to compress objects (files) automatically

AWS Cost Optimization

Medium

Ensure CloudFront web distributions enforce field-level encryption

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudTrail Log File Integrity Validation is enabled

Security & Compliance

High

Ensure CloudTrail buckets are configured to use MFA

Security & Compliance

Medium

Ensure CloudTrail logs are encrypted at rest

Security & Compliance

High

Ensure CloudTrail trails have multi-region enabled

Security & Compliance

High

Ensure CloudTrail trails record global service events

Security & Compliance

Medium

Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs

Security & Compliance

Medium

Ensure Container liveness probe is configured

Availability

No items found.

Low

Ensure Container readiness probe is configured

Availability

No items found.

Critical

Ensure DMS instances are not accessible via Internet (Network and API)

Security & Compliance

AWS Well-Architected Framework

High

Ensure Database Migration Service (DMS) are not publicly accessible

Security & Compliance

Medium

Ensure Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations

Availability

Medium

Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled

Security & Compliance

Low

Ensure DocumentDB clusters have Log Exports feature enabled

Security & Compliance

Medium

Ensure DocumentDB database clusters have a minimum backup retention period

Other

AWS Well-Architected Framework

Critical

Ensure DocumentDB database instances are not accessible via Internet (Network and API)

Security & Compliance

Critical

Ensure DocumentDB database instances have storage encryption enabled

Security & Compliance

High

Ensure DocumentDB volumes are of type gp3 (General Purpose SSD) instead of gp2

AWS Cost Optimization

AWS Well-Architected Framework

Low

Ensure DynamoDB Tables are encrypted with customer managed key

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure DynamoDB tables have point in time recovery enabled

Availability

Medium

Ensure EBS snapshots are encrypted

Security & Compliance

Critical

Ensure EBS snapshots are not publicly accessible

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure EBS volumes are encrypted

Security & Compliance

Medium

Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of gp2

AWS Cost Optimization

AWS Well-Architected Framework

Medium

Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of io1

AWS Cost Optimization

AWS Well-Architected Framework

Critical

Ensure EC2 AMIs are not publicly accessible

Security & Compliance

Medium

Ensure EC2 instance uses an IAM profile

Security & Compliance

Medium

Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)

Security & Compliance

AWS Foundational Security Best Practices Controls

Medium

Ensure ECS task definition has memory limit

Availability

No items found.

High

Ensure EFS file systems are encrypted

High

Ensure EFS file systems are encrypted using KMS CMK customer-managed keys

AWS Well-Architected Framework

Low

Ensure EKS Private access is enabled

Security & Compliance

Medium

Ensure EKS Public access is disabled

Security & Compliance

Critical

Ensure EKS Public access is restricted to specific sources

Security & Compliance

Low

Ensure EMR cluster archive log files to S3

Other

AWS Well-Architected Framework

Critical

Ensure EMR cluster master nodes are not publicly accessible

Security & Compliance

No items found.

Medium

Ensure EMR clusters are encrypted in-transit and at-rest

Security & Compliance

AWS Well-Architected Framework

Critical

Ensure ElastiCache Redis clusters are encrypted at-rest

Security & Compliance

Critical

Ensure ElastiCache Redis clusters are encrypted in-transit

Security & Compliance

Low

Ensure ElastiCache Redis clusters have automatic backup turned on

Availability

No items found.

Medium

Ensure Geo-Restriction is enabled within CloudFront distribution

Security & Compliance

Medium

Ensure IAM Group has no inline policy

Security & Compliance

Medium

Ensure IAM Role has no inline policy

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure IAM User has no inline policy

Security & Compliance

AWS Well-Architected Framework

Critical

Ensure IAM password policy expires passwords within 90 days or less

Security & Compliance

Low

Ensure IAM password policy has expiration period

Security & Compliance

Medium

Ensure IAM password policy prevents password reuse

Security & Compliance

Medium

Ensure IAM password policy require at least one lowercase letter

Security & Compliance

AWS Well-Architected Framework

We haven't write about

View all blog posts ->