AWS Security, Identity & Compliance: IAM Groups
In the AWS ecosystem, managing individual permissions for hundreds of users is an operational nightmare and a security risk. IAM Groups are the architectural solution for managing permissions at scale by clustering users with similar job functions.
Core Concepts & Configuration
An IAM Group is a collection of IAM users. It allows you to specify permissions for a multiple users, which can make it easier to manage those permissions. It is important to note that a group is not an “identity” in the same way a user or role is; it cannot be identified as a Principal in a resource-based policy.
Key Characteristics
- No Nesting: Groups cannot contain other groups. This is a common SAA-C03 distractor.
- Multi-Membership: A single IAM user can belong to up to 10 groups (default limit).
- Policy Attachment: You attach Managed Policies or Inline Policies directly to the group. All users in the group inherit those permissions.
- No Credentials: Groups do not have passwords or access keys. Only Users have credentials.
Comparison: Users vs. Groups vs. Roles
| Feature | IAM User | IAM Group | IAM Role |
|---|---|---|---|
| Definition | End user or application identity. | Collection of users. | Temporary identity for entities. |
| Credentials | Long-term (Password/Keys). | None. | Short-term (STS tokens). |
| Use Case | Individual person or service. | Bulk permission management. | Cross-account access or AWS services. |
| Principal? | Yes. | No. | Yes. |
Decision Matrix: If-Then Guide
- If you need to grant 50 developers access to a specific S3 bucket: Then create a “Developers” group and attach the policy to the group.
- If an employee leaves the company: Then simply remove the user from all groups (and delete the user).
- If you need to grant an EC2 instance permission to access DynamoDB: Then use an IAM Role (not a group).
- If you need to organize users by department (HR, Finance, Dev): Then use IAM Groups.
Exam Tips and Gotchas
- The “All or Nothing” Trap: Permissions are additive. If a user is in Group A (Allow S3) and Group B (Allow EC2), they have access to both. However, an explicit Deny in any attached policy (User, Group, or Role) always overrides any Allow.
- Nesting: AWS does not support nested groups. You cannot put the “DevOps” group inside the “Engineering” group.
- Resource Policies: You cannot list an IAM Group as a
Principalin an S3 Bucket Policy. You must list individual Users or Roles, or use conditions. - Limits: Be aware of the default limit of 300 groups per AWS account and 10 groups per user.
Topics covered:
Summary of key subtopics covered in this guide:
- Definition and purpose of IAM Groups in the Principle of Least Privilege.
- Functional limitations (No nesting, no credentials).
- Comparison between Users, Groups, and Roles for exam scenarios.
- Policy inheritance and the “Explicit Deny” rule.
- Management at scale for large organizations.
IAM Group Architecture Flow
Service Ecosystem
IAM: Core service for group creation.
AWS Organizations: Use Service Control Policies (SCPs) to restrict what even a Group Admin can do.
CloudWatch: Monitor CreateGroup and UpdateGroup API calls via CloudTrail for security auditing.
Performance & Scaling
Groups do not impact “performance” in terms of latency, but they drastically improve Administrative Performance.
Adding a user to a group is an instantaneous change (Eventual Consistency usually applies within seconds).
Cost Optimization
Cost: $0.00.
IAM is a global feature of AWS and is provided at no additional charge. There is no cost benefit to using fewer groups; use as many as needed to maintain security best practices.
Production Use Case
A multi-national corporation creates groups based on Job Function (e.g., NetworkAdmins, ReadOnlyAuditors, DataScientists). When a Data Scientist is promoted to a Network Admin, the IT team performs a single “Move” operation between groups, ensuring the user never has more permissions than required for their current role.