Managing Multiple Users with IAM User Groups
Managing Multiple Users with IAM User Groups
4h 50m

This section of the AWS Certified Solutions Architect - Professional learning path introduces the key identity management, security, and encryption services within AWS relevant to the AWS Certified Solutions Architect - Professional exam. Core to security is AWS Identity & Access Management commonly referred to as IAM. This service manages identities and their permissions that can access your AWS resources, so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Learn about identity and access management on AWS, including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
  • Learn the fundamentals of AWS Web Application Firewall (WAF), including what it is, when to use it, how it works, and why use it
  • Understand how to configure and monitor AWS WAF
  • Learn about AWS Firewall Manager and its components
  • Learn how to configure AWS Shield
  • Learn the fundamentals of AWS Cognito

In this lecture, I want to talk about how IAM User Groups can be used to manage multiple users. IAM User Groups do not signify a single user and they can't be referenced as a principal in any AWS access policy like a User or a Role can. However, they are used to authorize access for members of the group to AWS resources through the use of AWS Policies attached to the User Groups. So User Groups are objects that contain IAM Users, and these User Groups will have IAM policies associated that will allow or explicitly deny access to AWS resources.

These policies can be AWS Managed policies that can be selected from within IAM, customer-managed policies that are created by you, or in-line policies, which are written and embedded directly into the group. User Groups are a great user management feature and they are normally created to directly relate to a specific requirement or job role. For example, you could have a group called Developers, and then attach policies to that group that allow access to AWS resources required by your development team.

Any users that are then a member of that group will automatically inherit the permissions applied to the group. By applying permissions to a group instead of individual users, it makes it easy to modify permissions for multiple users at once, simplifying access management at scale. It's a security best practice to apply permissions to User Groups and then associate users to that group than to associate policies to individual Users. This prevents you having to update permissions for each and every user.

For example, if you needed to change access for all the individual developers that had policies assigned to them directly, and this can be very time intensive and prone to human error, especially in an enterprise environment. If using groups and additional access is required for your Developer User Group, all you would need to do is to modify the permissions of the Developer Group and all your associated developers would inherit the new access.

Creating a group is very simple and is essentially a three-step process. You must give your group a meaningful name, add users to the group, attach permissions via the policies. Once you have created a user group, you can then review its configuration, edit the permissions and see other details such as the ARN of the user group. Let me show you via a quick demonstration on how to create an IAM group and then how to modify the permissions of the group once it's been created.

Okay, so I've logged into my AWS Management Console and I've gone to the IAM dashboard. Now, from here, to access and create groups, under access management on the left, you can see user groups. So if you select that, and then will show you any groups that you currently have. And I only have one group, which is Admin. So to create a new group, you've gotta cross to the right-hand side here, click on create group. And the first thing you need to do is to give the group a name. So I'm going to call this MyS3andEC2Group. And then after that, you need to select the users that you want to be a part of the group.

So if you already have the IAM users there, you can add them at this stage. So let's just go ahead and add in Stuart. And then at the bottom, you can then attach any policies that you want to be associated with the group. So if I type in S3, and it'll pick up any policies that we have associated with S3. And I'm going to select this one here, this AmazonS3andEC2FullAccess policy. And if I click on the little plus sign here, it'll give you a JSON view of the actual policy itself. So you can see exactly what's happening.

So now I've selected that policy. If we just go down to create group at the bottom, and it's as simple as that. So it's very easy to create a group. You simple give it a name, specify the users if you need to at that stage and also add any permissions if you want to at that stage as well.

Now, once we've created our group, if we select it, we can see the user list here. Now, if you need to add any additional users, simply click on add users, select the users that you'd like and click on add users. And then they'll be immediately added to the group. You can also look at the permissions. So here's the policy that we added. Now, we can if we want to, add additional permissions by clicking on this button here. And you can either attach an existing policy or create an inline policy that's directly embedded into the group.

So for example, if we go to attach policies, and we want RDS access as well for the people in this group, have a quick search and we'll select this AWS managed policy for RDSFullAccess. Click on add permissions. And we can now see that this group has two permissions policies. And again, we can view the JSON details of those policies if we want to. And then we have the Amazon RDS policy here. So it's very easy to set up groups and only literally takes just a few clicks.

So that's how you create a new group, add users and also change the permissions as well. And also, just before we finish, if you want to delete the group, you can click on delete here. And we just need to type in the name of the group to confirm the deletion. So I'll just go ahead and do that. Then click on delete. And that deletes the group. Finally, from a limitation perspective, your AWS account has a default maximum limit of 300 groups. To increase this you'll need to contact AWS using the appropriate limit increase forms. Also, a user can only be associated with 10 groups, so bear this in mind when assigning permissions and each group can contain 10 different policies attached at once. Limitations on AWS services is fluctuating all of the time, so for the latest information on Group limitations, please see the following URL here.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.