Description:

You know that a user group is a collection of users. You can use user groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.

An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials associated with it.

IAM policies mean to give privilege to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not to users. Policies let you specify who has access to AWS resources, and what actions they can perform on those resources. In other words, we can say you can use policies to control what the person making the decision is allowed to do.


Rationale:

When we grant the privilege at the group level, we try to reduce the complexity of access management as the number of users grows. Here, you can create groups, attach the necessary policies to each group, and then add IAM users to these groups as needed. For improved efficiency and security, use managed policies whenever possible, attaching them to groups but not to users.


Impact:

By adding individual users to groups, it becomes easier to manage the users and their permissions. Instead of attaching policies to each user, you can just attach that policy to the group.


Default value:

By default, users will not be added to any group.


Pre-requisites:

  • Sign in as admin or IAM user with required permissions

  • Note down the policies attached to group


Remediation:


Test plan:

  • Sign in to AWS management console 

  • Go to IAM service at https://console.aws.amazon.com/iam/

  • Click on the user Groups in the left navigation pane

  • Click on the group name you want to examine and select the Users tab

  • If no user is added to the group it means that group is empty


Using AWS CLI:

To know the user in the group 

aws iam list-groups-for-user
--user-name <value>



Implementation steps:

  • Sign in to AWS management console 

  • Go to IAM service at https://console.aws.amazon.com/iam/

  • Click on the user Group in the left navigation pane

  • Select the user group  you want to examine.
  • Click on the Users tab.
  • Click on the Add users.

  • Select the user which do you want.

  • Click on Add Users.



Using AWS CLI:

To add the user to the  group

 aws iam add-user-to-group
--group-name <value>
--user-name <value>


Backout plan:

  • Sign in to AWS management console 

  • Go to IAM service at https://console.aws.amazon.com/iam/

  • Click on the User Groups in the left navigation pane

  • Click on the user
  • Select the user
  • Click on the Remove user


Using AWS CLI:

To remove the user from  the group

 aws iam remove-user-from-group
--group-name <value>
--user-name <value>

 

Reference:

https://aws.amazon.com/iam/