Creating IAM groups

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for users. For example, you could have a group called developer and give that group the types of permissions that they typically need. If the developer group only needs full access to S3 and dynamo DB, then you can create a group called developer and assign policies to it which are only meant for access to S3 and dynamo DB. Similarly, if you have an admin group for managing AWS resources, then you can create an admin group and assign administrator-related policies to that group. If a user changes jobs in your organization, instead of editing that user's permissions, you can remove him or her from the old group, and add them to the appropriate new groups. You can use Get-IAMGroupList for viewing the existing group and New-IAMGroup to create the new group:

PS C:\> Get-IAMGroupList
PS C:\> New-IAMGroup -GroupName developer

The developer group is created, but still there are no policies assigned to it and no user added to it. Let's plan to see what are the AWS policies available for S3 and DynamoDB. You can use the Get-IAMPolicies cmdlet to retrieve the full list of IAM policies available for you to choose from. You have to have a practice of reading that data, and choosing the one which is most appropriate for the group. I mostly filter it as follows:

PS C:\> Get-IAMPolicies | where-object {$_.PolicyName -like "*S3*"} |format-table -Property PolicyName,Arn
PS C:\> Get-IAMPolicies | where-object {$_.PolicyName -like "*dynamo*"} |format-table -Property PolicyName,Arn

You can see that Get-IAMPolicies returned a number of policies that you can choose from for S3 and DynamoDB. We will plan to grant AmazonS3FullAccess and AmazonDynamoDBFullAccess to the developer group that we created earlier. In order to attach a policy to the developer, you need to know the ARN for the policy. You can see in the output that there are two columns that we selected. You can use the Register-IAMGroupPolicy cmdlet to attach policies to a particular group:

PS C:\> Register-IAMGroupPolicy -GroupName developer -PolicyArn arn:aws:iam::aws:policy/AmazonS3FullAccess
PS C:\> Register-IAMGroupPolicy -GroupName developer -PolicyArn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess

This cmdlet will not return any output if it runs successfully. Both the policies will be added after the Register-IAMGroupPolicy is run. Now, you can add the user Ramesh to the developer group using Add-IAMUserToGroup:

PS C:\>Add-IAMUserToGroup -UserName "Ramesh" -GroupName "developer"

The IAM user Ramesh is now part of the IAM group called developer. But hold on, how can you access AWS using that user? The next section will help you to understand that.

You can directly assign the policies to the IAM user as well instead of granting it via a group. You can use the Register-IAMUserPolicy cmdlet. Granting policies via a group is considered as a best practice to ease administration on the AWS Cloud. Let's attach the PowerUserAccess policy to the user Ramesh:

PS C:\> Register-IAMUserPolicy -UserName Ramesh -PolicyArn arn:aws:iam::aws:policy/PowerUserAccess