DEV Community

Cover image for Pixel & Spoon Hands-On: Creating and Managing IAM Groups πŸ‘₯

Pixel & Spoon Hands-On: Creating and Managing IAM Groups πŸ‘₯

Chapter 4.2 β€” Hands-on companion to Chapter 4: IAM: The Gatekeeper of AWS. In the last post, we gave Aarav, Meera, and Rohit their own IAM users. Today we fix the messy part β€” permissions managed properly through groups.


Where We Left Off

In Chapter 4.1, we created three IAM users for Pixel & Spoon's team:

  • aarav-dev β€” backend developer
  • meera-design β€” UI designer
  • rohit-devops β€” DevOps engineer

We attached policies directly to each user β€” which worked, but it's not how real teams manage access.

Here's why that approach breaks quickly.

Next month, Pixel & Spoon hires a second backend developer. You'd have to remember exactly which policies Aarav has, then manually replicate them on the new hire. Then again for the third. Then again when you decide all developers need an extra permission β€” and now you have to update every single developer's user one by one.

That's not scalable. That's not even fun.

IAM Groups fix this completely.


πŸ—‚οΈ The Idea in One Sentence

Instead of managing permissions per person β€” manage them per role.

Create a Developers group. Attach the right policies to it. Add Aarav to it. Done. When the second developer joins, just add them to the same group β€” they instantly have identical access, zero extra config.

❌ Without Groups

   aarav-dev       β†’   EC2FullAccess (manually attached)
   new-developer   β†’   EC2FullAccess (manually remembered and attached)
   another-dev     β†’   EC2FullAccess (manually attached again...)

βœ… With Groups

   Developers Group  β†’  EC2FullAccess (attached once)
        β”‚
        β”œβ”€β”€ aarav-dev         (inherits automatically)
        β”œβ”€β”€ new-developer     (inherits automatically)
        └── another-dev       (inherits automatically)
Enter fullscreen mode Exit fullscreen mode

One policy. One place to update. Everyone in the group stays in sync.


πŸ› οΈ Step-by-Step: Creating the Developers Group

We'll create three groups for Pixel & Spoon β€” Developers, Designers, and Admins. Let's do Developers first and walk through it fully.


Step 1 β€” Open IAM

In the AWS Console search bar, type IAM and open the IAM Dashboard.


Step 2 β€” Go to User Groups

On the left sidebar, click User groups β€” not "Users." It's just below it.

Click the orange Create group button.

IAM User Group


Step 3 β€” Name the Group

For the group name, use:

Developers
Enter fullscreen mode Exit fullscreen mode

Keep names simple, role-based, and capitalised for clarity. You'll thank yourself when you have 10 groups and need to scan through them quickly.


Step 4 β€” Add Users to the Group

Scroll down to the "Add users to the group" section. You'll see a list of your existing IAM users.

Tick the checkbox next to aarav-dev.

That's it for now β€” we'll add future developers here too when they join.


Step 5 β€” Attach a Permission Policy

Scroll further down to "Attach permissions policies".

Search for:

AmazonEC2FullAccess
Enter fullscreen mode Exit fullscreen mode

Tick it. This gives every member of the Developers group full access to EC2 β€” exactly what Aarav needs to build Pixel & Spoon's ordering backend.

πŸ’‘ We're using AmazonEC2FullAccess for now because it's a clean AWS-managed policy that matches what Aarav's role requires at this stage. In Chapter 4.3, we'll look at writing tighter, custom policies when the default ones are too broad.

Click Create group.

AWS IAM create group attach policy console screenshot


πŸ” Now Create the Other Two Groups

The process is identical β€” just different names, users, and policies.


Designers Group

Field Value
Group name Designers
Add user meera-design
Attach policy AmazonS3FullAccess

Meera needs S3 access to upload Pixel & Spoon's website assets, images, and frontend files. Nothing else.


Admins Group

Field Value
Group name Admins
Add user rohit-devops
Attach policy AdministratorAccess

Rohit is DevOps β€” he needs broad infrastructure access to keep everything running. AdministratorAccess is the most powerful AWS-managed policy. Treat group membership carefully here β€” only people who genuinely need full access belong in Admins.
AWS IAM user groups list page screenshot


🧹 Clean Up: Remove the Old Direct Policies

Remember in Chapter 4.1 we attached policies directly to each user as a temporary workaround?

Now that groups exist, those direct attachments are redundant β€” and having both can cause confusion later. Let's remove them.

Step 1 β€” In IAM, go to Users β†’ click aarav-dev.

Step 2 β€” Click the Permissions tab. You'll see both the directly attached AmazonEC2FullAccess policy and the group-inherited one.

Step 3 β€” Click the X next to the directly attached policy to remove it.

If you donnt see the [x] button next to the directly attached, Remove the AmazonEC2FullAccess completly and then add the user again to the Developers Group.

Aarav still has EC2 access β€” now cleanly inherited from the Developers group, not attached twice.

Repeat for meera-design (remove direct S3 policy) and rohit-devops (remove direct AdministratorAccess).

AWS IAM user permissions tab remove policy screenshot


βœ… What Pixel & Spoon Looks Like Now

🏒 Pixel & Spoon β€” AWS Account

πŸ‘₯ Developers Group   β†’  AmazonEC2FullAccess
        └── aarav-dev

πŸ‘₯ Designers Group    β†’  AmazonS3FullAccess
        └── meera-design

πŸ‘₯ Admins Group       β†’  AdministratorAccess
        └── rohit-devops

πŸ”’ Root account       β†’  Locked away with MFA
Enter fullscreen mode Exit fullscreen mode

Clean. Organised. Scalable.

When Pixel & Spoon hires its next backend developer, you open the Developers group, add their user, and walk away. They have exactly the right access in under 30 seconds.

When you need all developers to also access Lambda (which we'll need later in the series), you add the Lambda policy to the Developers group once β€” and every developer gets it instantly.

That's the power of managing permissions through groups.

πŸ› οΈ Try It Yourself: Create a new user and add them to a group

Task: Pixel & Spoon just hired a second backend developer β€” Subham.
Goal: Create his IAM user and add him to the Developers group.

Steps:

  1. Go to IAM β†’ Users β†’ Create user

    • Username: subham-dev
    • Enable console access
    • Custom password + force reset on first login
  2. On the permissions screen β†’ Add user to group β†’ select "Developers"

  3. Click Create user and save his sign-in details

βœ… Done! Subham now has EC2 access automatically β€” no extra policy needed.


πŸ—ΊοΈ Continue the Hands-On Series

4.1 β€” βœ… Creating IAM Users

4.2 β€” βœ… Creating and Managing IAM Groups (you are here)

4.3 β€” Writing and Attaching IAM Policies

4.4 β€” Creating IAM Roles: Human & Service

Next up β€” the policies we've been attaching are all AWS-managed defaults. In Chapter 4.3, we look under the hood at what those policies actually say, and write a simple custom one that gives Aarav exactly what he needs β€” and nothing more.

πŸ‘‰ Chapter 4.3: Writing and Attaching IAM Policies β†’ (Read it here)


Resources I'm learning from:


Top comments (0)