I should say too that the groups i created to identify and manage access in a ldap directory are in the format:
cn=aws8765309-administrator,ou=groups,o=data
cn=aws8765309-read-only,ou=groups,o=data
When you look at the regex this factors into the extraction.