AWS IAM Users and Groups
Create IAM users, organize them into groups, and decide when console access or programmatic access is appropriate.
IAM users and groups are the simplest building blocks for human access in AWS. An IAM user represents a person or long-lived identity, while a group is a container that lets you attach one policy set to many users at once. Groups keep access management from turning into a manual, user-by-user process.
A common workflow is to create a user, decide whether they need console access, programmatic access, or both, and then add the user to one or more groups such as developers, auditors, or billing-readonly. Policies are usually attached to the group rather than directly to the user so permission changes stay centralized and consistent.
| Access type | When to use it |
|---|---|
| Console access | Interactive work in the AWS web console |
| Programmatic access | CLI, SDK, automation, or scripts |
| Group membership | Shared permissions for teams or functions |
Programmatic access creates access keys, which should be treated like secrets. If you can avoid long-lived keys by using roles or federation, that is usually better. When you do create keys, store them securely and rotate them regularly. Console passwords also deserve care: require MFA and avoid sharing accounts between people.
Users and groups work well for small teams or learning environments, but they are often only the starting point. As organizations mature, they rely more on roles, identity federation, and centralized access patterns. Still, understanding users and groups is essential because many policies, audit findings, and older environments still depend on them.
Continue with AWS IAM for the big picture and AWS IAM Roles and Policies for more advanced permission design.
aws iam create-user --user-name alice
aws iam create-group --group-name developers
aws iam add-user-to-group --user-name alice --group-name developers
aws iam list-groups-for-user --user-name alice
Operational note
Permission work improves when it is reviewed as part of normal delivery rather than treated as a one-time security task. When a new team, service, or pipeline is introduced, decide which identity it should use, what the smallest permission set looks like, and how you will audit changes later through CloudTrail and IAM reports. Shared standards like this make future environments easier to launch, review, and support.
Groups
Why do IAM groups help simplify permission management?
Programmatic access
What is created when an IAM user receives programmatic access?