Perform the following to create an IAM group and assign a policy to it:

• 1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  
  
• 2. In the navigation pane, click Groups and then click Create New Group .

• 3. In the Group Name box, type the name of the group and then click Next Step .
  
  
• 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click Next Step .
• 5. Click Create Group.
  
  

Perform the following to add a user to a given group:

• 1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  
  
• 2. In the navigation pane, click Groups
  
  
• 3. Select the group to add a user
  
  
• 4. Click Add Users To Group
  
  
• 5. Select the users to be added to the group
  
  
• 6. Click Add Users
  
  

Perform the following to remove a direct association between a user and policy:

• 1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  
  
• 2. In the left navigation pane, click on Users
  
  
• 3. For each user:
  
  
  • 1. Select the user
    
    
  • 2. Click on the Permissions tab
    
    
  • 3. Expand Managed Policies
    
    
  • 4. Click Detach Policy for each policy
    
    
  • 5. Expand Inline Policies
    
    
  • 6. Click Remove Policy for each policy

References:

1. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
2. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html