Description:
IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy.
Only the third implementation is recommended.
Rationale:
Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.
Perform the following to create an IAM group and assign a policy to it:
Perform the following to add a user to a given group:
Perform the following to remove a direct association between a user and policy: