IAM allows you to give your employees, AWS services, and programs running on remote servers managed access to your AWS resources. IAM groups are a useful organization tool that lets you define permissions for multiple users at the same time.
IAM organization tools
First, a brief breakdown of IAM’s various tools:
IAM policies combine individual permissions into a cohesive object that can be applied to users, roles, and groups. For example, you can create a policy that allows you to put objects in a specific set of S3 buckets.
IAM users have access keys or passwords that they can use to access AWS services using the CLI, API, or Management Console. This allows employees to access AWS resources from outside your AWS account. They can attach policies to their account that give them permissions.
IAM roles are similar to users, but they do not contain access keys. These are used to authorize other AWS services to use your resources and not to grant API or CLI access to anyone outside of your account. For example, you can assign a role to an EC2 instance that enables access to S3. Since it is already running in your AWS account, it can act as a role without requiring access keys.
AWS Organizations is a special tool that allows you to split your AWS master account into up to four different sub-accounts with central billing and control. While this is not technically related to IAM, you can completely separate development, test, staging, and production environments so that you can give looser IAM permissions to employees who only work in the development environment.
Today we will discuss IAM groups. This tool allows you to add multiple policies to a group and add users to that group who are assigned the same policies as the group. It̵
How to work with groups
You can use groups to distinguish between different classes of employees with different authorizations. Suppose you have a team of software developers and a team of QA engineers. Both have different requirements and therefore need different authorizations. If you set them up in the group, you can easily set up new employees with access or move users between teams as needed.
Create a new group in the Groups tab of the IAM Management Console.
Give it a name and add any guidelines you want. A maximum of 10 policies can be attached to groups. So you will likely want to create a custom policy or two for this group. You can also add inline policies directly to the group. However, we recommend using a regular policy to keep everything in order.
Click “Create” and that’s all that is required. You can add a new user to the group on the group’s Users tab:
If you’re automating your onboarding process, you can do so from the command line with:
aws iam add-user-to-group --group-name
This adds the group’s permissions to the user’s current permissions in a separate category. If you remove the user from the group, the group’s permissions no longer apply.
You cannot create subgroups, but users can be in multiple groups at the same time. With that in mind, you can create a Developers group to give basic permissions and a Senior Developers group to give more permissions, and then assign them to an employee to give them both sets of permissions.
Groups do not override permissions
In IAM, there is no way for a permission to override another permission. By default, everything is implicitly denied and a user only has access to services that are explicitly permitted by a permissions policy. You can also choose expressly reject Permissions for a user. These permissions always take precedence over all other permissions, regardless of whether they come from a user or a group or not.
When you create a group, all of the group’s permissions interact with the user permissions in the same way as if they were attached directly to the user. There is no hierarchy.
For example, we create a test user and attach that
AWSDenyAll Politics directly to it. We will also create a group that will attach
AdministratorAccess Permission for this group and add the user to this group.
In the IAM policy simulator, everything is explicitly rejected due to the presence of the
AWSDenyAll Politics. If we toggle things and set the deny policy for the group and the allow policy directly for the user, the same thing happens. Deny always overrides Allow.
A more useful way of doing this is through authorization limits. Instead of explicitly denying anything that a user shouldn’t do, even if the group deems it possible, you can instead set a policy as the permission limit. This takes precedence over all other authorizations that are assigned to the user both from groups and directly, and does not allow anything that the authorization limit also does not allow.
This works essentially like a Venn diagram of permissions and only allows actions that overlap both the explicitly allowed permissions of the attached policies and the permission limit.