IAM groups are used to mimic this security feature in your organization groups. You could think of it as active directory groups. For example, in your organization, you would have administrators, developers, and testers. To create a group, you can use the AWS Management Console, the SDK, or the CLI. Once you have created a group, you can attach it to a user or, alternatively, you can create one when you are creating a new user. I tend to attach IAM policies to a group, and then assign groups to users, as it makes it much easier to manage and standardizes access. For example, I can assign the data science group to new joiners of the team knowing that it's identical to the other users. Equally, if someone leaves, then their magical policies will not be deleted with them!