Description:
You know that a user group is a collection of users. You can use user groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.
An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials associated with it.
IAM policies mean to give privilege to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not to users. Policies let you specify who has access to AWS resources, and what actions they can perform on those resources. In other words, we can say you can use policies to control what the person making the decision is allowed to do.
Rationale:
When we grant the privilege at the group level, we try to reduce the complexity of access management as the number of users grows. Here, you can create groups, attach the necessary policies to each group, and then add IAM users to these groups as needed. For improved efficiency and security, use managed policies whenever possible, attaching them to groups but not to users.
Impact:
By adding individual users to groups, it becomes easier to manage the users and their permissions. Instead of attaching policies to each user, you can just attach that policy to the group.
Default value:
By default, users will not be added to any group.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Note down the policies attached to group
Remediation:
Test plan:
Sign in to AWS management console
Go to IAM service at https://console.aws.amazon.com/iam/
Click on the user Groups in the left navigation pane
Click on the group name you want to examine and select the Users tab
If no user is added to the group it means that group is empty
Using AWS CLI:
To know the user in the group
aws iam list-groups-for-user
--user-name <value>
Implementation steps:
Sign in to AWS management console
Go to IAM service at https://console.aws.amazon.com/iam/
Click on the user Group in the left navigation pane
- Select the user group you want to examine.
- Click on the Users tab.
Click on the Add users.
Select the user which do you want.
- Click on Add Users.
Using AWS CLI:
To add the user to the group
aws iam add-user-to-group
--group-name <value>
--user-name <value>
Backout plan:
Sign in to AWS management console
Go to IAM service at https://console.aws.amazon.com/iam/
Click on the User Groups in the left navigation pane
- Click on the user
- Select the user
- Click on the Remove user
Using AWS CLI:
To remove the user from the group
aws iam remove-user-from-group
--group-name <value>
--user-name <value>