diff --git a/demo-13/iam.tf b/demo-13/iam.tf
new file mode 100644
index 0000000..58cf30b
--- /dev/null
+++ b/demo-13/iam.tf
@@ -0,0 +1,24 @@
+# group definition
+resource "aws_iam_group" "administrators" {
+    name = "administrators"
+}
+resource "aws_iam_policy_attachment" "administrators-attach" {
+    name = "administrators-attach"
+    groups = ["${aws_iam_group.administrators.name}"]
+    policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+# user
+resource "aws_iam_user" "admin1" {
+    name = "admin1"
+}
+resource "aws_iam_user" "admin2" {
+    name = "admin2"
+}
+resource "aws_iam_group_membership" "administrators-users" {
+    name = "administrators-users"
+    users = [
+        "${aws_iam_user.admin1.name}",
+        "${aws_iam_user.admin2.name}",
+    ]
+    group = "${aws_iam_group.administrators.name}"
+}
diff --git a/demo-13/provider.tf b/demo-13/provider.tf
new file mode 100644
index 0000000..ded6d8c
--- /dev/null
+++ b/demo-13/provider.tf
@@ -0,0 +1,3 @@
+provider "aws" { 
+    region = "${var.AWS_REGION}"
+}
diff --git a/demo-13/vars.tf b/demo-13/vars.tf
new file mode 100644
index 0000000..7c29d8c
--- /dev/null
+++ b/demo-13/vars.tf
@@ -0,0 +1,3 @@
+variable "AWS_REGION" {
+  default = "eu-west-1"
+}