Back to AWS Identity and Access Management (IAM)

IAM Groups

5 minutes 5 Questions

IAM groups are logical collections of IAM users with similar roles or permissions. You can streamline management and efficiency by assigning AWS permissions to a group, which subsequently applies to all its members, making it easier to work with multiple users with the same level of access. IAM gro…

Guide on AWS IAM Groups at /concept/aws-solution-architect/aws-iam/iam-groups/

IAM (Identity and Access Management) Groups within the Amazon Web Services (AWS) platform is a crucial concept to understand for the Solution Architect exam.

What is IAM Groups?
IAM Groups is a feature of AWS IAM. This allows you to manage multiple IAM users as a single entity. Users in an IAM Group essentially inherit all the permissions attached to that Group.

Why is IAM Groups Important?
The IAM Groups functionality is important as it allows efficient assignment and management of permissions when handling multiple users, rather than managing each user separately. Thus, contributing to increasing security in an AWS environment.

How Does IAM Groups Work?
IAM Groups works by allowing you to bundle multiple IAM Users together under one group and assigning permissions to that group. Any user added to the group automatically receives the permissions assigned to that group.

Exam Tips: Answering Questions on IAM Groups
1. Remember that groups are not truly an identity because they cannot be identified as a principal. IAM groups cannot directly have access permissions, create access keys, or login to the AWS console.
2. When a user is removed from a group, they no longer inherit the permissions of that group.
3. If permissions are changed for a group, all users in that group immediately get the new permissions.
4. Emphasize on the scalability and efficiency of IAM Groups in managing permissions for multiple users.
These tips should give you the edge in answering IAM Groups related questions in the AWS Solution Architect exam. Study and understand the functionality and importance of IAM Groups to succeed.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

AWS Certified Solutions Architect - IAM Groups Example Questions

Test your knowledge of IAM Groups

Question 1

In a single AWS account, each employee is an IAM user assigned to their department (HR, Finance, Marketing). You must enforce least-privilege S3 access so each department can access only its own department bucket (e.g., HR to only the HR bucket) and cannot access any other S3 buckets. Implement this using IAM identity-based permissions only; do not use bucket policies, VPC endpoint policies, or EC2/Security Group configurations. Which approach best meets these requirements in a scalable way?

Create a single IAM Group for all departments and then define bucket policies to allow access to each department's corresponding S3 bucket. Create VPC Endpoints for each department, allowing them access to only their corresponding S3 buckets. Establish EC2 instances for each department, and restrict S3 access via Security Group rules. Create IAM Groups for each department, and attach policies allowing access only to the corresponding S3 buckets.

Correct Answer: Create IAM Groups for each department, and attach policies allowing access only to the corresponding S3 buckets.

Creating a separate IAM group per department and attaching least‑privilege, identity‑based policies that scope permissions to that department’s bucket is the correct, scalable approach under the stated constraints. Each group’s policy can allow s3:ListBucket on the department bucket (optionally scoped by prefix) and s3:GetObject/PutObject/DeleteObject on that bucket’s objects only (e.g., arn:aws:s3:::hr-bucket and arn:aws:s3:::hr-bucket/*). This cleanly isolates access by identity and requires no bucket policies, VPC endpoint policies, or EC2/Security Group mechanisms. The other options either rely on bucket policies or network controls, which are excluded by the question or are not appropriate for enforcing S3 authorization.

Question 2

An engineer must work on three projects that each require different AWS permissions. Company policy states: (1) every IAM user must belong to exactly one existing IAM group, (2) policies must not be attached directly to users, and (3) you may not create new groups for one-off combinations of permissions. How should you grant the engineer the permissions needed for all three projects while complying with policy?

Create a new IAM Group with the combined permissions of all three projects and place the user in this group. Create a user with the required permissions for one project and then create multiple IAM roles for the other projects, allowing the user to assume those roles. Attach multiple IAM Policies directly to the user with the required permissions for each project. Create separate IAM accounts for the user and grant each account corresponding permissions for one project.

Correct Answer: Create a user with the required permissions for one project and then create multiple IAM roles for the other projects, allowing the user to assume those roles.

Given the constraints that each IAM user must belong to exactly one group, no policies may be attached directly to users, and new custom groups cannot be created for one-off permission combinations, the correct approach is to use role assumption for additional projects. Keep the user in a single group that grants the base project's permissions, then create project-specific IAM roles for the other projects and allow the user (via the group's permissions) to assume those roles using sts:AssumeRole. This satisfies the one-group policy, avoids direct user-attached policies, and enables least-privilege, on-demand access per project. Creating a new group that combines all permissions violates the prohibition on ad-hoc groups; attaching policies directly to the user is disallowed; creating separate IAM accounts for the same person is poor practice and unnecessary.

Question 3

Your company wants a group of IAM users to be able to access AWS resources only when requests originate from your corporate office public IP addresses. You need a centralized, scalable solution that applies across AWS services. What should you do?

Create a VPC Endpoint and restrict access to the resources within the VPC. Attach a policy to each IAM User with a condition that allows access only from the company's IP addresses. Create an S3 bucket policy that allows access only from the company's IP addresses. Attach a policy to the IAM Group with a condition that allows access only from the company's IP addresses.

Correct Answer: Attach a policy to the IAM Group with a condition that allows access only from the company's IP addresses.

Attaching a single identity-based policy to the IAM Group with a condition that checks aws:SourceIp against your company’s public IP CIDR range enforces that all API requests made by users in that group are only allowed when originating from your corporate network. This is centralized, scalable, and applies across AWS services. Attaching identical policies to each user would work technically but is not operationally efficient. A VPC endpoint controls network paths within AWS and does not ensure requests come from your corporate IPs, especially for users accessing from the public internet. An S3 bucket policy applies only to S3 and does not satisfy a cross-service requirement.

🎓 Unlock Premium Access

AWS Certified Solutions Architect - Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
5645 Superior-grade AWS Certified Solutions Architect - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AWS Certified Solutions Architect: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial