I want to be able to specify an iam group as the principal within my policy but i have been reading that you cannot specify an iam group as part of a resource based policy. I could potentially add in a list of iam users but then my policy would look really messy. What is the best approach to take if i cannot add an iam group arn as the principal within my policy.
If you cannot specify an IAM group as the principal in a resource-based policy, you have a few options:
Attach the policy directly to the IAM users: In this case, you would need to specify each IAM user ARN in the policy. This approach can quickly become messy and difficult to manage as the number of IAM users grows.
Use an IAM role: An IAM role is a way to grant permissions to AWS services or applications that run on AWS. You can create an IAM role that can be assumed by IAM users or IAM groups. You can then specify the IAM role in the policy instead of the IAM users or IAM groups. This approach provides a cleaner and more scalable way to manage permissions.
Use a service control policy (SCP): An SCP is a type of policy that is used to set permissions boundaries for an AWS account. You can use an SCP to allow or deny access to AWS services for IAM groups, IAM users, or IAM roles. This allows you to manage permissions for multiple users in a centralized and organized manner.
I would recommend option 2 or 3 as the best approach, as they provide a cleaner and more scalable way to manage permissions compared to specifying individual IAM user ARNs in the policy.