AWS_IN_GROUP

Summary

FSProtect ACL Alias

AWS_IN_GROUP

Edge Type

Relationship

Affected Object Types

IAM Users, IAM Groups

Exploitation Certainty

Certain

AWS IAM Action / Condition

Relationship visibility via iam:ListGroupsForUser; membership changes via iam:AddUserToGroup and iam:RemoveUserFromGroup

Description

AWS_IN_GROUP represents that an IAM user is a member of one or more IAM groups.

In AWS IAM, groups are a major permission inheritance boundary. A user in a group receives permissions from:

  • Managed policies attached to that group.

  • Inline policies defined on that group.

This edge is not directly exploitable alone, but it is critical for understanding effective permissions and escalation chains, especially when combined with AWS_ATTACHED_POLICY.

Identification

AWS CLI

List groups for a user:

Inspect policy context of a group:

Enumerate all user-group relationships:

AWS Console

  • Open IAM -> Users -> select a user.

  • Open Groups tab to review membership.

  • Open each group to inspect managed and inline policies.

Exploitation

There is no direct exploit path for this edge. AWS_IN_GROUP is a membership relationship.

Privilege impact depends on what the group grants through attached or inline policies.

Mitigation

  • Keep IAM groups purpose-specific and least-privilege.

  • Regularly review group memberships for privileged groups.

  • Remove unnecessary user memberships quickly.

  • Use temporary role assumption for elevated tasks when possible.

Detection

Monitor CloudTrail for membership changes:

  • AddUserToGroup

  • RemoveUserFromGroup

Investigate events affecting privileged groups first.

References

Last updated

Was this helpful?