Chapter 4.2 β Hands-on companion to Chapter 4: IAM: The Gatekeeper of AWS. In the last post, we gave Aarav, Meera, and Rohit their own IAM users. Today we fix the messy part β permissions managed properly through groups.
Where We Left Off
In Chapter 4.1, we created three IAM users for Pixel & Spoon's team:
-
aarav-devβ backend developer -
meera-designβ UI designer -
rohit-devopsβ DevOps engineer
We attached policies directly to each user β which worked, but it's not how real teams manage access.
Here's why that approach breaks quickly.
Next month, Pixel & Spoon hires a second backend developer. You'd have to remember exactly which policies Aarav has, then manually replicate them on the new hire. Then again for the third. Then again when you decide all developers need an extra permission β and now you have to update every single developer's user one by one.
That's not scalable. That's not even fun.
IAM Groups fix this completely.
ποΈ The Idea in One Sentence
Instead of managing permissions per person β manage them per role.
Create a Developers group. Attach the right policies to it. Add Aarav to it. Done. When the second developer joins, just add them to the same group β they instantly have identical access, zero extra config.
β Without Groups
aarav-dev β EC2FullAccess (manually attached)
new-developer β EC2FullAccess (manually remembered and attached)
another-dev β EC2FullAccess (manually attached again...)
β
With Groups
Developers Group β EC2FullAccess (attached once)
β
βββ aarav-dev (inherits automatically)
βββ new-developer (inherits automatically)
βββ another-dev (inherits automatically)
One policy. One place to update. Everyone in the group stays in sync.
π οΈ Step-by-Step: Creating the Developers Group
We'll create three groups for Pixel & Spoon β Developers, Designers, and Admins. Let's do Developers first and walk through it fully.
Step 1 β Open IAM
In the AWS Console search bar, type IAM and open the IAM Dashboard.
Step 2 β Go to User Groups
On the left sidebar, click User groups β not "Users." It's just below it.
Click the orange Create group button.
Step 3 β Name the Group
For the group name, use:
Developers
Keep names simple, role-based, and capitalised for clarity. You'll thank yourself when you have 10 groups and need to scan through them quickly.
Step 4 β Add Users to the Group
Scroll down to the "Add users to the group" section. You'll see a list of your existing IAM users.
Tick the checkbox next to aarav-dev.
That's it for now β we'll add future developers here too when they join.
Step 5 β Attach a Permission Policy
Scroll further down to "Attach permissions policies".
Search for:
AmazonEC2FullAccess
Tick it. This gives every member of the Developers group full access to EC2 β exactly what Aarav needs to build Pixel & Spoon's ordering backend.
π‘ We're using
AmazonEC2FullAccessfor now because it's a clean AWS-managed policy that matches what Aarav's role requires at this stage. In Chapter 4.3, we'll look at writing tighter, custom policies when the default ones are too broad.
Click Create group.
π Now Create the Other Two Groups
The process is identical β just different names, users, and policies.
Designers Group
| Field | Value |
|---|---|
| Group name | Designers |
| Add user | meera-design |
| Attach policy | AmazonS3FullAccess |
Meera needs S3 access to upload Pixel & Spoon's website assets, images, and frontend files. Nothing else.
Admins Group
| Field | Value |
|---|---|
| Group name | Admins |
| Add user | rohit-devops |
| Attach policy | AdministratorAccess |
Rohit is DevOps β he needs broad infrastructure access to keep everything running. AdministratorAccess is the most powerful AWS-managed policy. Treat group membership carefully here β only people who genuinely need full access belong in Admins.

π§Ή Clean Up: Remove the Old Direct Policies
Remember in Chapter 4.1 we attached policies directly to each user as a temporary workaround?
Now that groups exist, those direct attachments are redundant β and having both can cause confusion later. Let's remove them.
Step 1 β In IAM, go to Users β click aarav-dev.
Step 2 β Click the Permissions tab. You'll see both the directly attached AmazonEC2FullAccess policy and the group-inherited one.
Step 3 β Click the X next to the directly attached policy to remove it.
If you donnt see the [x] button next to the directly attached, Remove the
AmazonEC2FullAccesscompletly and then add the user again to the Developers Group.
Aarav still has EC2 access β now cleanly inherited from the Developers group, not attached twice.
Repeat for meera-design (remove direct S3 policy) and rohit-devops (remove direct AdministratorAccess).
β What Pixel & Spoon Looks Like Now
π’ Pixel & Spoon β AWS Account
π₯ Developers Group β AmazonEC2FullAccess
βββ aarav-dev
π₯ Designers Group β AmazonS3FullAccess
βββ meera-design
π₯ Admins Group β AdministratorAccess
βββ rohit-devops
π Root account β Locked away with MFA
Clean. Organised. Scalable.
When Pixel & Spoon hires its next backend developer, you open the Developers group, add their user, and walk away. They have exactly the right access in under 30 seconds.
When you need all developers to also access Lambda (which we'll need later in the series), you add the Lambda policy to the Developers group once β and every developer gets it instantly.
That's the power of managing permissions through groups.
π οΈ Try It Yourself: Create a new user and add them to a group
Task: Pixel & Spoon just hired a second backend developer β Subham.
Goal: Create his IAM user and add him to the Developers group.
Steps:
-
Go to IAM β Users β Create user
- Username: subham-dev
- Enable console access
- Custom password + force reset on first login
On the permissions screen β Add user to group β select "Developers"
Click Create user and save his sign-in details
β Done! Subham now has EC2 access automatically β no extra policy needed.
πΊοΈ Continue the Hands-On Series
4.1 β β Creating IAM Users
4.2 β β Creating and Managing IAM Groups (you are here)
4.3 β Writing and Attaching IAM Policies
4.4 β Creating IAM Roles: Human & Service
Next up β the policies we've been attaching are all AWS-managed defaults. In Chapter 4.3, we look under the hood at what those policies actually say, and write a simple custom one that gives Aarav exactly what he needs β and nothing more.
π Chapter 4.3: Writing and Attaching IAM Policies β (Read it here)
Resources I'm learning from:
- roadmap.sh/aws β my learning roadmap
- AWS Official Overview Whitepaper β straight from the source




Top comments (0)