Bird
Raised Fist0
AWScloud~5 mins

IAM users and groups in AWS - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Managing who can access your cloud resources is important. IAM users and groups help you organize and control permissions for people using your AWS account.
When you want to give a new employee access to AWS resources with specific permissions.
When you need to manage permissions for a team working on the same project.
When you want to avoid sharing your root account credentials for security.
When you want to apply the same permissions to multiple users easily.
When you want to track who performed actions in your AWS account.
Commands
This command creates a new group named 'Developers' to organize users with similar permissions.
Terminal
aws iam create-group --group-name Developers
Expected OutputExpected
{"Group":{"Path":"/","GroupName":"Developers","GroupId":"AGPAEXAMPLEID","Arn":"arn:aws:iam::123456789012:group/Developers","CreateDate":"2024-06-01T12:00:00Z"}}
--group-name - Specifies the name of the group to create.
This command creates a new IAM user named 'alice' who can be given permissions to access AWS resources.
Terminal
aws iam create-user --user-name alice
Expected OutputExpected
{"User":{"Path":"/","UserName":"alice","UserId":"AIDAEXAMPLEID","Arn":"arn:aws:iam::123456789012:user/alice","CreateDate":"2024-06-01T12:01:00Z"}}
--user-name - Specifies the name of the user to create.
This command adds the user 'alice' to the 'Developers' group so she inherits the group's permissions.
Terminal
aws iam add-user-to-group --user-name alice --group-name Developers
Expected OutputExpected
No output (command runs silently)
--user-name - Specifies the user to add to the group.
--group-name - Specifies the group to add the user to.
This command lists all groups that the user 'alice' belongs to, confirming the user is in the 'Developers' group.
Terminal
aws iam list-groups-for-user --user-name alice
Expected OutputExpected
{"Groups":[{"Path":"/","GroupName":"Developers","GroupId":"AGPAEXAMPLEID","Arn":"arn:aws:iam::123456789012:group/Developers","CreateDate":"2024-06-01T12:00:00Z"}]}
--user-name - Specifies the user whose groups are listed.
Key Concept

If you remember nothing else from this pattern, remember: IAM groups let you manage permissions for many users at once by adding users to groups.

Common Mistakes
Trying to assign permissions directly to a user without using groups.
This makes managing permissions harder when you have many users because you must update each user separately.
Create groups with the needed permissions and add users to those groups.
Using the root AWS account for daily tasks instead of IAM users.
The root account has full access and using it increases security risks.
Create IAM users with limited permissions for daily use.
Not verifying that a user was added to a group after running the add-user-to-group command.
You might think the user has permissions when they do not, causing access errors.
Run 'aws iam list-groups-for-user' to confirm group membership.
Summary
Create IAM groups to organize users with similar permissions.
Create IAM users for each person who needs access.
Add users to groups to grant them the group's permissions.
Verify group membership to ensure permissions are applied.

Practice

(1/5)
1. What is the main purpose of an IAM group in AWS?
easy
A. To organize multiple IAM users and assign permissions collectively
B. To store data securely in the cloud
C. To create virtual servers for applications
D. To monitor network traffic in AWS

Solution

  1. Step 1: Understand IAM user and group roles

    IAM users represent individuals or services, while groups organize these users.

  2. Step 2: Identify the purpose of groups

    Groups allow assigning permissions to many users at once, simplifying management.

  3. Final Answer:

    To organize multiple IAM users and assign permissions collectively -> Option A

  4. Quick Check:

    IAM groups = organize users + assign permissions [OK]
Hint: Groups bundle users for easy permission management [OK]
Common Mistakes:
  • Confusing groups with storage or servers
  • Thinking groups monitor network traffic
  • Believing groups are individual user accounts
2. Which of the following is the correct way to add an IAM user named alice to a group named Developers using AWS CLI?
easy
A. aws iam add-group-to-user --group-name Developers --user-name alice
B. aws iam attach-user-policy --user-name alice --policy-name Developers
C. aws iam add-user-to-group --user-name alice --group-name Developers
D. aws iam create-group --group-name Developers --user alice

Solution

  1. Step 1: Recall AWS CLI command for adding user to group

    The correct command is aws iam add-user-to-group with parameters --user-name and --group-name.

  2. Step 2: Match command syntax with options

    aws iam add-user-to-group --user-name alice --group-name Developers matches the correct syntax exactly.

  3. Final Answer:

    aws iam add-user-to-group --user-name alice --group-name Developers -> Option C

  4. Quick Check:

    Correct CLI command = aws iam add-user-to-group --user-name alice --group-name Developers [OK]
Hint: Use 'add-user-to-group' command with user and group names [OK]
Common Mistakes:
  • Using 'attach-user-policy' instead of adding to group
  • Confusing 'create-group' with adding users
  • Reversing user and group parameters
3. Given the following IAM group policy attached to group Admins: 
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "*"
  }]
}
If user bob is added to the Admins group, what permissions does bob have on S3?
medium
A. Full access to all S3 actions and resources
B. Read-only access to S3 buckets
C. No access to S3 unless user policy allows it
D. Access only to S3 buckets created by bob

Solution

  1. Step 1: Analyze the group policy permissions

    The policy allows all S3 actions (s3:*) on all resources (*), meaning full access.

  2. Step 2: Understand group membership effect

    User bob inherits all permissions from the Admins group.

  3. Final Answer:

    Full access to all S3 actions and resources -> Option A

  4. Quick Check:

    Group policy allows s3:* on * = full access [OK]
Hint: s3:* on * means full S3 access [OK]
Common Mistakes:
  • Assuming user needs separate policy for access
  • Thinking group policies restrict to created buckets
  • Confusing read-only with full access
4. You tried to add user carol to group Managers using this command: 
aws iam add-user-to-group --group-name Managers --user carol
But it failed. What is the error in this command?
medium
A. The command should be 'aws iam add-group-to-user' instead
B. The parameter should be --user-name, not --user
C. The group name should be specified after --user-name
D. The user name must be in quotes

Solution

  1. Step 1: Check AWS CLI command syntax

    The correct parameter for specifying the user is --user-name, not --user.

  2. Step 2: Identify the error in the command

    Using --user causes the command to fail because it is invalid.

  3. Final Answer:

    The parameter should be --user-name, not --user -> Option B

  4. Quick Check:

    Correct parameter = --user-name [OK]
Hint: Use --user-name, not --user, for specifying IAM user [OK]
Common Mistakes:
  • Using incorrect parameter names
  • Swapping user and group parameters
  • Adding unnecessary quotes around names
5. You want to create a secure setup where users in the Developers group can only start and stop EC2 instances, but not terminate them. Which IAM policy snippet attached to the group achieves this?
hard
A. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"], "Resource": "*" }] }
B. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }] }
C. { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:TerminateInstances", "Resource": "*" }] }
D. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] }

Solution

  1. Step 1: Understand required permissions

    Users should only start and stop instances, so allow only those actions.

  2. Step 2: Evaluate policy options

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] } allows only StartInstances and StopInstances. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }] } allows all EC2 actions, including terminate. { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:TerminateInstances", "Resource": "*" }] } denies terminate but does not allow start/stop explicitly. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"], "Resource": "*" }] } allows terminate, which is not desired.

  3. Final Answer:

    Policy allowing only start and stop EC2 instances -> Option D

  4. Quick Check:

    Allow only start/stop, no terminate = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] } [OK]
Hint: Allow only needed actions, avoid wildcard ec2:* [OK]
Common Mistakes:
  • Using ec2:* allows unwanted terminate action
  • Only denying terminate without allowing start/stop
  • Including terminate in allowed actions