Creating IAM user groups - AWS Identity and Access Management

Creating IAM user groups


As a best practice, we recommend that you require human users to use federation with an identity provider to access AWS using temporary credentials. If you follow the best practices, you are not managing IAM users and groups. Instead, your users and groups are managed outside of AWS and are able to access AWS resources as a federated identity. A federated identity is a user from your enterprise user directory, a web identity provider, the AWS Directory Service, the Identity Center directory, or any user that accesses AWS services by using credentials provided through an identity source. Federated identities use the groups defined by their identity provider. If you are using AWS IAM Identity Center, see Manage identities in IAM Identity Center in the AWS IAM Identity Center User Guide for information about creating users and groups in IAM Identity Center.

To set up a user group, you need to create the group. Then give the group permissions based on the type of work that you expect the users in the group to do. Finally, add users to the group.

For information about the permissions that you need in order to create a user group, see Permissions required to access IAM resources.

To create an IAM user group and attach policies (console)
  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane, choose User groups and then choose Create group.

  3. For User group name, type the name of the group.


    The number and size of IAM resources in an AWS account are limited. For more information, see IAM and AWS STS quotas. Group names can be a combination of up to 128 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), underscore (_), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create groups named both ADMINS and admins.

  4. In the list of users, select the check box for each user that you want to add to the group.

  5. In the list of policies, select the check box for each policy that you want to apply to all members of the group.

  6. Choose Create group.

To create IAM user groups (AWS CLI or AWS API)

Use one of the following: