IT in Education

What is a Group?

awsGroups allow you to consistently manage large numbers of Users, by using Policies. This article describes how to create some key groups.

Create an Administrators group

This group of users will have admin access to your AWS resources when they log on to the Console.

  1. Start by creating an admin role.
    1. Open the role for editing, and click copy  to copy the Role ARN (e.g. arn:aws:iam::1234567891011:role/admin).
  2. Go to Services > IAM.
  3. Select User groups in the left pane.
    1. Click the Create New Group button.
    2. Enter a Group Name (e.g. Administrators).
    3. Click Next Step.
    4. Click Next Step again (don't attach any policies at this stage).
    5. Click Create Group.

You have now created a group with no attached permissions.

  1. Open your newly created group for editing.
  2. Select the Permissions tab.
  3. Expand the Inline Policies section.
  4. Click the click here link.
  5. Choose the Custom Policy option and click Select.

Now you can configure your own inline policy that grants the ability to assume the admin role that you previously created.

  1. Enter AssumeAdminRole for the Policy Name.
  2. Paste the following in the Policy Document (replace AWS_ACCOUNT_NUMBER with your own AWS account number).
  3. Click Apply Policy.

Alternatively for step 2 above, you can paste the arn details next to "Resource":

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::AWS_ACCOUNT_NUMBER:role/admin"

This inline policy grants anyone who is a member of the Administrators group, the right to assume the admin role.


Create a Users group

It is also a good practice to create a Users group. Everyone is a member of this group, including the admins, who will also be a member of the Administrators group. One purpose of this group might be to force MFA on users. To achieve this you must first create a policy that forces users to adopt MFA.

  1. Go to Services > IAM.
  2. Select User groups in the left pane.
    1. Click the Create New Group button.
    2. Enter a Group Name (e.g. Users).
    3. On the Attach Policy screen, select RequireMFAPolicy.
    4. Click Create Group.

Thanks for visiting,