Profile Applicability:
 • Level 2

Description:

IAM groups allow administrators to manage permissions for multiple IAM users at once by grouping users with similar access requirements. Instead of assigning permissions individually to each user, permissions can be attached to a group, and any user in that group automatically inherits those permissions.

Rationale:

Creating IAM groups simplifies the management of permissions, improves security by enforcing consistent access policies, and reduces the risk of human error. By assigning users to groups based on roles (e.g., Admin, Developer, Read-Only), administrators can ensure that permissions are applied consistently and according to the principle of least privilege.

Impact:

Pros:

  • Simplifies the management of user permissions

  • Ensures consistent permission assignments across users with similar job roles

  • Reduces administrative overhead and human error

  • Enhances security by allowing easy auditing of permissions

Cons:

  • Poorly configured groups may inadvertently grant excessive permissions

  • Users may be assigned to incorrect groups, potentially exposing resources to unauthorized access

  • Requires careful management to ensure groups reflect the evolving needs of the organization

Default Value:

AWS does not create IAM groups automatically. They must be manually created and configured by administrators.

Pre-requisites:

  • IAM permissions to create and manage IAM groups (e.g., iam:CreateGroupiam:AddUserToGroup)

  • Defined roles and responsibilities for users to determine appropriate groupings

  • Established security and access policies to guide group creation

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Groups

  3. Verify that IAM groups are created according to organizational roles and job functions

  4. Review the permissions attached to each group to ensure they align with the principle of least privilege

  5. Check that no user has excessive or unnecessary permissions by being part of overly permissive groups

Using AWS CLI:

List all IAM groups:

aws iam list-groups

Describe a specific group and its attached policies:

aws iam get-group --group-name <group-name>

List users in a specific IAM group:

aws iam get-group --group-name <group-name> --query "Users[*].UserName"

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Groups

  3. Click Create New Group

  4. Enter a group name (e.g., DevelopersAdminsReadOnly)

  5. Select the permissions policies you want to attach to the group (e.g., AdministratorAccessReadOnlyAccess, or custom policies)

  6. Click Create Group

  7. Add users to the group by selecting Add Users to Group and choosing the appropriate IAM users

Using AWS CLI:

Create a new IAM group:

aws iam create-group --group-name <group-name>

Attach policies to the group (e.g., AdministratorAccess):

aws iam attach-group-policy --group-name <group-name> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Add users to the group:

aws iam add-user-to-group --group-name <group-name> --user-name <username>

Backout Plan:

Using AWS Console:

  1. Navigate to IAM > Groups

  2. Select the group to delete

  3. Click Delete Group

  4. Ensure any users who were part of the group are reassigned to the appropriate group or removed as necessary

  5. Review the permissions and reassign any users or groups to ensure no access is lost unintentionally

Using AWS CLI:

Remove users from the group:

aws iam remove-user-from-group --group-name <group-name> --user-name <username>

Delete the IAM group:

aws iam delete-group --group-name <group-name>

References: