Deleting an IAM user group
When you delete a user group in the Amazon Web Services Management Console, the console automatically removes all group members, detaches all attached managed policies, and deletes all inline policies. However, because IAM does not automatically delete policies that refer to the user group as a resource, you must be careful when you delete a user group. Before you delete your user group, you must manually check all of your policies to find any policies that mention the group by name. For example, John, the Test Team manager, has a policy attached to his IAM user entity that lets him add and remove users from the Test user group. If an administrator deletes the group, the administrator must also delete the policy attached to John. Otherwise, if the administrator recreates the deleted group and give it the same name, John's permissions remain in place, even if he left the Test Team.
To find policies that refer to a user group as a resource
-
From the navigation pane of the IAM console, choose Policies.
-
Sort by the Type column to find your Customer managed custom policies.
-
Choose the policy name of the policy to delete.
-
Choose the Permissions tab, and then choose Summary.
-
Choose IAM from the list of services, if it exists.
-
Look for the name of your user group in the Resource column.
-
Choose Delete to delete the policy.
-
Type the policy name to confirm deletion of the policy and choose Delete.
In contrast, when you use the Amazon CLI, Tools for Windows PowerShell, or Amazon API to delete a user group, you must first remove the users in the group. Then delete any inline policies embedded in the user group. Next, detach any managed policies that are attached to the group. Only then can you delete the user group itself.
Deleting an IAM user group (console)
You can delete an IAM user group from the Amazon Web Services Management Console.
To delete an IAM user group (console)
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose User groups.
-
In the list of user groups, select the check box next to the names of the user groups to delete. You can use the search box to filter the list of user groups by type, permissions, and user group name.
-
Choose Delete.
-
In the confirmation box, if you want to delete a single user group, type the user group name and choose Delete. If you want to delete multiple user groups, type the number of user groups to delete followed by
user groups
and choose Delete. For example, if you delete three user groups, type3 user groups
.
Deleting an IAM user group (Amazon CLI)
You can delete an IAM user group from the Amazon CLI.
To delete an IAM user group (Amazon CLI)
-
Remove all users from the user group.
-
aws iam get-group (to get the list of users in the user group), and aws iam remove-user-from-group (to remove a user from the user group)
-
-
Delete all inline policies embedded in the user group.
-
aws iam list-group-policies (to get a list of the user group's inline policies), and aws iam delete-group-policy (to delete the user group's inline policies)
-
-
Detach all managed policies attached to the user group.
-
aws iam list-attached-group-policies (to get a list of the managed policies attached to the user group), and aws iam detach-group-policy (to detach a managed policy from the user group)
-
-
Delete the user group.
Deleting an IAM user group (Amazon API)
You can use the Amazon API to delete an IAM user group.
To delete an IAM user group (Amazon API)
-
Remove all users from the user group.
-
GetGroup (to get the list of users in the user group) and RemoveUserFromGroup (to remove a user from the user group)
-
-
Delete all inline policies embedded in the user group.
-
ListGroupPolicies (to get a list of the user group's inline policies) and DeleteGroupPolicy (to delete the user group's inline policies)
-
-
Detach all managed policies attached to the user group.
-
ListAttachedGroupPolicies (to get a list of the managed policies attached to the user group) and DetachGroupPolicy (to detach a managed policy from the user group)
-
-
Delete the user group.