container for users can represent teams/departments in real life can have policies attached or inlined limits no native default group for all users group may not be nested not a real identity: resource policy cannot grant permissions to groups