IAM Group
💡 Definition
An IAM Group is a collection of IAM Users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.
🔑 Key Concepts
- Efficiency: Instead of attaching a policy to 10 different users, you attach it once to the Group.
- No Identities: A Group is not an identity; it cannot "log in" or make requests. It is just a container for users.
- Inheritance: Users added to the Group automatically inherit the permissions attached to the Group.
⚙️ How it Works
- Create Group: e.g., "Developers".
- Attach Policy: Attach an "EC2FullAccess" policy to the "Developers" group.
- Add Users: Add "Alice" and "Bob" to the group. They now both have EC2 access.
🎯 Use Cases
- Job Functions: Creating groups for "Admins", "Developers", "Testers", "HR".
- Onboarding: Easily giving new hires the correct permissions by simply adding them to the relevant groups.
💰 Pricing Model
- Free feature of IAM.
📝 Exam Tips (CLF-C02)
- Best practice: Attach permissions to Groups, not directly to Users.
- A Group is not an identity (cannot be used to make API calls).
- A user can belong to multiple groups.
See Also: * IAM User * IAM Policy * IAM