Creating IAM user groups - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating IAM user groups

Note

As a best practice, we recommend that you require human users to use federation with an identity provider to access Amazon using temporary credentials. If you follow the best practices, you are not managing IAM users and groups. Instead, your users and groups are managed outside of Amazon and are able to access Amazon resources as a federated identity. A federated identity is a user from your enterprise user directory, a web identity provider, the Amazon Directory Service, the Identity Center directory, or any user that accesses Amazon services by using credentials provided through an identity source. Federated identities use the groups defined by their identity provider. If you are using Amazon IAM Identity Center, see Manage identities in IAM Identity Center in the Amazon IAM Identity Center User Guide for information about creating users and groups in IAM Identity Center.

To set up a user group, you need to create the group. Then give the group permissions based on the type of work that you expect the users in the group to do. Finally, add users to the group.

For information about the permissions that you need in order to create a user group, see Permissions required to access IAM resources.

To create an IAM user group and attach policies (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose User groups and then choose Create group.

  3. For User group name, type the name of the group.

    Note

    The number and size of IAM resources in an Amazon account are limited. For more information, see IAM and Amazon STS quotas. Group names can be a combination of up to 128 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), underscore (_), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create groups named both ADMINS and admins.

  4. In the list of users, select the check box for each user that you want to add to the group.

  5. In the list of policies, select the check box for each policy that you want to apply to all members of the group.

  6. Choose Create group.

To create IAM user groups (Amazon CLI or Amazon API)

Use one of the following: