diff --git a/kong/plugins/acl/api.lua b/kong/plugins/acl/api.lua
index 49821de3aa4..15ccd0d40b5 100644
--- a/kong/plugins/acl/api.lua
+++ b/kong/plugins/acl/api.lua
@@ -1,4 +1,5 @@
 local crud = require "kong.api.crud_helpers"
+local utils = require "kong.tools.utils"
 
 return {
   ["/consumers/:username_or_id/acls/"] = {
@@ -20,15 +21,18 @@ return {
     end
   },
 
-  ["/consumers/:username_or_id/acls/:id"] = {
+  ["/consumers/:username_or_id/acls/:group_or_id"] = {
     before = function(self, dao_factory, helpers)
       crud.find_consumer_by_username_or_id(self, dao_factory, helpers)
       self.params.consumer_id = self.consumer.id
 
-      local acls, err = dao_factory.acls:find_all {
+      local filter_keys = {
+        [utils.is_valid_uuid(self.params.group_or_id) and "id" or "group"] = self.params.group_or_id,
         consumer_id = self.params.consumer_id,
-        id = self.params.id
       }
+      self.params.group_or_id = nil
+
+      local acls, err = dao_factory.acls:find_all(filter_keys)
       if err then
         return helpers.yield_error(err)
       elseif #acls == 0 then
diff --git a/spec/03-plugins/10-acl/01-api_spec.lua b/spec/03-plugins/10-acl/01-api_spec.lua
index f61545cf924..8c952e2cdbf 100644
--- a/spec/03-plugins/10-acl/01-api_spec.lua
+++ b/spec/03-plugins/10-acl/01-api_spec.lua
@@ -116,13 +116,17 @@ describe("Plugin: acl (API)", function()
   end)
 
   describe("/consumers/:consumer/acls/:id", function()
-    local acl
+    local acl, acl2
     before_each(function()
       helpers.dao:truncate_table("acls")
       acl = assert(helpers.dao.acls:insert {
         group = "hello",
         consumer_id = consumer.id
       })
+      acl2 = assert(helpers.dao.acls:insert {
+        group = "hello2",
+        consumer_id = consumer.id
+      })
     end)
     describe("GET", function()
       it("retrieves by id", function()
@@ -134,6 +138,15 @@ describe("Plugin: acl (API)", function()
         local json = cjson.decode(body)
         assert.equal(acl.id, json.id)
       end)
+      it("retrieves by group", function()
+        local res = assert(admin_client:send {
+          method = "GET",
+          path = "/consumers/bob/acls/"..acl.group
+        })
+        local body = assert.res_status(200, res)
+        local json = cjson.decode(body)
+        assert.equal(acl.id, json.id)
+      end)
       it("retrieves ACL by id only if the ACL belongs to the specified consumer", function()
         assert(helpers.dao.consumers:insert {
           username = "alice"
@@ -151,10 +164,23 @@ describe("Plugin: acl (API)", function()
         })
         assert.res_status(404, res)
       end)
+      it("retrieves ACL by group only if the ACL belongs to the specified consumer", function()
+        local res = assert(admin_client:send {
+          method = "GET",
+          path = "/consumers/bob/acls/"..acl.group
+        })
+        assert.res_status(200, res)
+
+        res = assert(admin_client:send {
+          method = "GET",
+          path = "/consumers/alice/acls/"..acl.group
+        })
+        assert.res_status(404, res)
+      end)
     end)
 
     describe("PATCH", function()
-      it("updates an ACL group", function()
+      it("updates an ACL group by id", function()
         local previous_group = acl.group
 
         local res = assert(admin_client:send {
@@ -171,6 +197,23 @@ describe("Plugin: acl (API)", function()
         local json = cjson.decode(body)
         assert.not_equal(previous_group, json.group)
       end)
+      it("updates an ACL group by group", function()
+        local previous_group = acl.group
+
+        local res = assert(admin_client:send {
+          method = "PATCH",
+          path = "/consumers/bob/acls/"..acl.group,
+          body = {
+            group = "updatedGroup2"
+          },
+          headers = {
+            ["Content-Type"] = "application/json"
+          }
+        })
+        local body = assert.res_status(200, res)
+        local json = cjson.decode(body)
+        assert.not_equal(previous_group, json.group)
+      end)
       describe("errors", function()
         it("handles invalid input", function()
           local res = assert(admin_client:send {
@@ -188,20 +231,27 @@ describe("Plugin: acl (API)", function()
     end)
 
     describe("DELETE", function()
-      it("deletes an ACL group", function()
+      it("deletes an ACL group by id", function()
         local res = assert(admin_client:send {
           method = "DELETE",
           path = "/consumers/bob/acls/"..acl.id,
         })
         assert.res_status(204, res)
       end)
+      it("deletes an ACL group by group", function()
+        local res = assert(admin_client:send {
+          method = "DELETE",
+          path = "/consumers/bob/acls/"..acl2.group,
+        })
+        assert.res_status(204, res)
+      end)
       describe("errors", function()
-        it("returns 400 on invalid input", function()
+        it("returns 404 on missing group", function()
           local res = assert(admin_client:send {
             method = "DELETE",
             path = "/consumers/bob/acls/blah"
           })
-          assert.res_status(400, res)
+          assert.res_status(404, res)
         end)
         it("returns 404 if not found", function()
           local res = assert(admin_client:send {