Deleting an IAM user group - AWS Identity and Access Management

Deleting an IAM user group

When you delete a user group in the AWS Management Console, the console automatically removes all group members, detaches all attached managed policies, and deletes all inline policies. However, because IAM does not automatically delete policies that refer to the user group as a resource, you must be careful when you delete a user group. Before you delete your user group, you must manually check all of your policies to find any policies where that group is mentioned by name. For example, let's say John is the manager of the testing part of the organization. John has a policy attached to his IAM user entity that lets him add and remove users from the Test user group. If an administrator deletes the group, the administrator must also delete the policy attached to John.

To find policies that refer to a user group as a resource

  1. From the navigation pane of the IAM console, choose Policies.

  2. From the Policy type drop-down list, choose Customer managed to filter the policies to show only your custom policies.

  3. Choose the arrow next to each policy name to expand the policy summary.

  4. Choose IAM from the list of services, if it exists.

  5. Look for the name of your group in the Resource column.

  6. Choose Delete policy to delete the policy.

In contrast, when you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user group, you must first remove the users in the group. Then delete any inline policies embedded in the user group. Next, detach any managed policies that are attached to the group. Only then can you delete the user group itself.

Deleting an IAM user group (console)

You can delete an IAM user group from the AWS Management Console.

To delete an IAM user group (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose User groups.

  3. In the list of user groups, select the check box next to the names of the user groups to delete. You can use the search box to filter the list of user groups by type, permissions, and user group name.

  4. Choose Delete.

  5. In the confirmation box, if you are deleting a single user group, type the user group name and choose Delete. If you are deleting multiple user groups, type the number of user groups you are deleting followed by user groups and choose Delete. For example, if you are deleting three user groups, type 3 user groups.

Deleting an IAM user group (AWS CLI)

You can delete an IAM user group from the AWS CLI.

To delete an IAM user group (AWS CLI)

  1. Remove all users from the user group.

  2. Delete all inline policies embedded in the user group.

  3. Detach all managed policies attached to the user group.

  4. Delete the user group.

Deleting an IAM user group (AWS API)

You can use the AWS API to delete an IAM user group.

To delete an IAM user group (AWS API)

  1. Remove all users from the user group.

  2. Delete all inline policies embedded in the user group.

  3. Detach all managed policies attached to the user group.

  4. Delete the user group.