Description:

You know a user group is a collection of users. You can use user groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.

An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials associated with it.

IAM policies mean to give privileges to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not to users. Policies let you specify who has access to AWS resources, and what actions they can perform on those resources. In other words, we can say you can use policies to control what the person making the principal is allowed to do.


Rationale:

When we give the privilege at the group level we try to reduce the complexity of access management as the number of users grows. Here You can create groups, attach the necessary policies for each group, then add IAM users to these groups as needed. For improved efficiency and security, use managed policies whenever possible, attaching them to groups but not to users.


Impact:

Adding individual users to groups makes it easier to manage the users and their permissions. Instead of attaching policies to each user, you can just attach that policy to the group.


Default value:

By default, users will not be added to any group.


Pre-requisites:

  • Sign in as an admin or IAM user with the required permissions

  • Need at least one IAM Group 


Remediation:


Test plan:

  • Sign in to the AWS management console 

  • Go to the IAM service at https://console.aws.amazon.com/iam/

  • Click on the users in the left navigation pane

  • Click on the user name you want to examine and select the Groups tab

  • If any group shows up it means a particular user is in that group, if not follow the implementation steps to add a user to the group.


Using AWS CLI:

 List the names of Amazon IAM users available within your current AWS account: 

aws iam list-groups-for-user --user-name <value>


Implementation steps:

  • Sign in to the AWS management console 

  • Go to the IAM service at https://console.aws.amazon.com/iam/

  • Click on the users in the left navigation pane

  • Click on the user name you want to add to the group and select the Groups tab.

  • Click on Add user to Groups button.

  • Select the group you want to add the user(can select multiple groups at a time) to and click on Add to Groups button at the bottom

  • Click on  "Add user to groups".

  • Now the IAM user to the selected group will inherit the permissions assigned to the selected IAM group

OR

  • Click on the User Groups in the left navigation pane.


  • Click  on the group name.

  • Click on the Add Users.
  • Click on the User name.

  • Click on Add User.

Using AWS CLI:

aws iam add-user-to-group --user-name Bob --group-name Admins


Backout plan:

  • Sign in to the AWS management console 

  • Go to the IAM service at https://console.aws.amazon.com/iam/

  • Click on the user groups in the left navigation pane

  • Click on the group name, go to the user's tab and select the user and click on Remove user



Using AWS CLI:

aws iam remove-user-from-group --user-name Bob --group-name Admins


Reference:

https://aws.amazon.com/iam/