AWS_IN_GROUP

Summary

Description

AWS_IN_GROUP represents that an IAM user is a member of one or more IAM groups.

In AWS IAM, groups are a major permission inheritance boundary. A user in a group receives permissions from:

• Managed policies attached to that group.

• Inline policies defined on that group.

This edge is not directly exploitable alone, but it is critical for understanding effective permissions and escalation chains, especially when combined with AWS_ATTACHED_POLICY.

Identification

AWS CLI

List groups for a user:

Inspect policy context of a group:

Enumerate all user-group relationships:

AWS Console

• Open IAM -> Users -> select a user.

• Open Groups tab to review membership.

• Open each group to inspect managed and inline policies.

Exploitation

There is no direct exploit path for this edge. AWS_IN_GROUP is a membership relationship.

Privilege impact depends on what the group grants through attached or inline policies.

Mitigation

• Keep IAM groups purpose-specific and least-privilege.

• Regularly review group memberships for privileged groups.

• Remove unnecessary user memberships quickly.

• Use temporary role assumption for elevated tasks when possible.

Detection

Monitor CloudTrail for membership changes:

• AddUserToGroup

• RemoveUserFromGroup

Investigate events affecting privileged groups first.

References

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupsForUser.html

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveUserFromGroup.html

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html