> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/aws/aws_in_group.md). # AWS\_IN\_GROUP ## Summary | | | | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------ | | **FSProtect ACL Alias** | AWS\_IN\_GROUP | | **Edge Type** | Relationship | | **Affected Object Types** | IAM Users, IAM Groups | | **Exploitation Certainty** | Certain | | **AWS IAM Action / Condition** | Relationship visibility via `iam:ListGroupsForUser`; membership changes via `iam:AddUserToGroup` and `iam:RemoveUserFromGroup` | ## Description `AWS_IN_GROUP` represents that an IAM user is a member of one or more IAM groups. In AWS IAM, groups are a major permission inheritance boundary. A user in a group receives permissions from: * Managed policies attached to that group. * Inline policies defined on that group. This edge is not directly exploitable alone, but it is critical for understanding effective permissions and escalation chains, especially when combined with [`AWS_ATTACHED_POLICY`](https://docs.forestall.io/fsprotect/edges/aws/aws_attached_policy). ## Identification ### AWS CLI List groups for a user: ```bash aws iam list-groups-for-user --user-name TargetUser ``` Inspect policy context of a group: ```bash aws iam list-attached-group-policies --group-name TargetGroup aws iam list-group-policies --group-name TargetGroup ``` Enumerate all user-group relationships: ```bash for u in $(aws iam list-users --query 'Users[].UserName' --output text); do aws iam list-groups-for-user --user-name "$u" \ --query "Groups[].{User:'$u',Group:GroupName}" --output table done ``` ### AWS Console * Open **IAM** -> **Users** -> select a user. * Open **Groups** tab to review membership. * Open each group to inspect managed and inline policies. ## Exploitation There is no direct exploit path for this edge. `AWS_IN_GROUP` is a membership relationship. Privilege impact depends on what the group grants through attached or inline policies. ## Mitigation * Keep IAM groups purpose-specific and least-privilege. * Regularly review group memberships for privileged groups. * Remove unnecessary user memberships quickly. * Use temporary role assumption for elevated tasks when possible. ## Detection Monitor CloudTrail for membership changes: * `AddUserToGroup` * `RemoveUserFromGroup` Investigate events affecting privileged groups first. ## References * * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/aws/aws_in_group.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.