Mastering AWS Security
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

IAM groups

A collection of IAM users is known as an IAM group. Groups allow you to manage permissions for more than one users by placing them according to their job functions, departments, or by their access requirements. So, in a typical IT organization, you'll have groups for developers, administrators, and project managers. You will add all users belonging to their job functions in groups and assign permissions directly to the group; all users belonging to that group will get that permission automatically. If a developer moves to another job function within an organization, you'll simply change his/her group to get new permissions and revoke the old ones. Thus making it easier to manage permissions for multiple users in your organization.

Let us look at features of IAM groups:

  • A group can have multiple users and a user can be member of more than one group.
  • Nesting of group is not allowed, you can't have a group within a group.
  • A group can contain many users, and a user can belong to multiple groups.
  • Groups can't be nested; they can contain only users, not other groups.
  • Groups are not allowed to have security credentials and they can't access AWS services. They simply provide a way to manage IAM users and permissions required for IAM users.
  • Groups can be renamed, edited, created, and deleted from AWS console as well as from CLI.

Let us look at the following diagram as an example for IAM groups, there are three groups Admins, Developers, and Test. The Admins group contains two people, Bob and Susan, whereas Developers group contains application such as DevApp1 along with people. Each of these users in these groups have their own security credentials:

Figure 3 - AWS IAM groups

Normally, the following would be the sequence of events for creating these groups and users:

  1. AWS account will be created by the organization.
  2. Root user will login and create the Admins group and two users Bob and Susan.
  3. Root user will assign administrator permission to Admins group and add Bob and Susan to the Admins group.
  4. Users in the Admins group will follow the same process for creating other groups, users, assigning permissions to groups, and adding users to groups.
Note that the root user is used only for creating the admins users and groups. Alternatively, root user can simply create an IAM user Susan with administrator permission and all of the work after that can be done by user Susan. After that, all other groups and users are created by using users who have administrator permissions.

Let us look at the following steps to create groups using AWS console. You can create groups from AWS CLI, AWS API, and tools for Windows PowerShell as well:

  1. Navigate to IAM by using the AWS console.
  2. Click on Groups in the navigation pane.
  3. Click on the Create New Group button. On this page, you can see all groups present in your AWS account.

 

  1. Give the name for your group and click on the Next Step button.
  2. On the next page, you can attach a policy to your group or you could do it after you have created a group.
  3. Review all the information for this group and click on the Create Group button.
  4. Once your group is created, you can add/remove users from this group. You can also edit or delete the group from the console.
上一章目录下一章