CloudWiki

Amazon Web Service (AWS)

IAM Group

Permissions
An IAM group is a collection of multiple IAM users, that let you easily grant, change, and remove permissions to those users at the same time. Changes in permissions made to a group affect each individual user within that group making it easier to manage.
aws_iam_group
IAM Group
attributes:
  • name - (Required) The group's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins".
  • path - (Optional, default "/") Path in which to create the group.

Associating resources with a
IAM Group
Resources do not "belong" to a
IAM Group
Rather, one or more Security Groups are associated to a resource.
Create
IAM Group
via Terraform:
The following HCL creates an IAM group
Syntax:

resource "aws_iam_group" "developers" {
 name = "developers"
 path = "/users/"
}

Create
IAM Group
via CLI:
Parametres:

create-group
[--path <value>]
--group-name <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam create-group --group-name Admins

Best Practices for
IAM Group

Categorized by Availability, Security & Compliance and Cost

Warning
IAM Group allows inline Admin access (*:*)
Critical
Resource with over permissive DynamoDB GetItem permissions (via IAM Group inline)
No items found.
Critical
Resource with over permissive S3 GetObject permissions (via IAM Group inline)
No items found.
Explore all the rules our platform covers
All Resources