By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.
Perform the following to create an IAM group and assign a policy to it:
Perform the following to add a user to a given group:
Perform the following to remove a direct association between a user and policy: