What it is: A collection of IAM users.

What it’s for:

• Attach policies once to the group; all users inherit the group permissions.
• Make permission management simpler and consistent.

Key ideas:

• Groups contain users only (not roles).
• A user can be in multiple groups.
• Group permissions = sum of policies attached (but deny still wins).

Exam cues:

• “give the same access to 20 developers” → use IAM Group.

Hard words:

• *inherit* /ɪnˈherɪt/: thừa hưởng
• *consistent* /kənˈsɪstənt/: nhất quán