====== IAM Group ======

**What it is:** A collection of IAM users.

**What it’s for:**
  * Attach policies once to the group; all users inherit the group permissions.
  * Make permission management simpler and consistent.

**Key ideas:**
  * Groups contain **users only** (not roles).
  * A user can be in multiple groups.
  * Group permissions = sum of policies attached (but deny still wins).

**Exam cues:**
  * “give the same access to 20 developers” → use IAM Group.

**Hard words:**
  * *inherit* /ɪnˈherɪt/: thừa hưởng
  * *consistent* /kənˈsɪstənt/: nhất quán