Bird
Raised Fist0
AWScloud~5 mins

IAM users and groups in AWS - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is an IAM user in AWS?
An IAM user is an identity that represents a person or service who interacts with AWS. It has credentials to access AWS resources securely.
Click to reveal answer
beginner
What is the purpose of an IAM group?
An IAM group is a collection of IAM users. It helps manage permissions by assigning policies to the group instead of individual users.
Click to reveal answer
intermediate
How do IAM groups simplify permission management?
By assigning permissions to a group, all users in that group inherit those permissions. This avoids setting permissions one by one for each user.
Click to reveal answer
intermediate
Can IAM users belong to multiple groups?
Yes, an IAM user can be a member of multiple groups, inheriting permissions from all those groups combined.
Click to reveal answer
advanced
What is the difference between IAM user permissions and group permissions?
User permissions are policies attached directly to a user. Group permissions come from policies attached to groups the user belongs to. Both combine to define effective permissions.
Click to reveal answer
What does an IAM group in AWS primarily help with?
AManaging multiple users' permissions together
BCreating new AWS accounts
CStoring data securely
DRunning applications
Can an IAM user exist without belonging to any group?
AYes, users can exist alone with direct permissions
BOnly if the user is an admin
CNo, every user must be in a group
DOnly if the user is temporary
If a user belongs to two groups with different permissions, what happens?
AUser loses all permissions
BUser gets permissions from only one group
CUser gets combined permissions from both groups
DUser must choose which group to use
What is NOT a feature of IAM users?
AThey have credentials to access AWS
BThey can belong to groups
CThey can be assigned permissions directly
DThey automatically have admin rights
Why is it better to assign permissions to groups rather than individual users?
AGroups are faster to create
BGroups reduce repetitive permission assignments
CUsers cannot have permissions directly
DGroups automatically secure data
Explain how IAM users and groups work together to manage access in AWS.
Think about how a team shares access rights through group membership.
You got /4 concepts.
    Describe the benefits of using IAM groups instead of assigning permissions directly to each user.
    Imagine managing keys for a building by giving them to groups instead of individuals.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of an IAM group in AWS?
      easy
      A. To organize multiple IAM users and assign permissions collectively
      B. To store data securely in the cloud
      C. To create virtual servers for applications
      D. To monitor network traffic in AWS

      Solution

      1. Step 1: Understand IAM user and group roles

        IAM users represent individuals or services, while groups organize these users.

      2. Step 2: Identify the purpose of groups

        Groups allow assigning permissions to many users at once, simplifying management.

      3. Final Answer:

        To organize multiple IAM users and assign permissions collectively -> Option A

      4. Quick Check:

        IAM groups = organize users + assign permissions [OK]
      Hint: Groups bundle users for easy permission management [OK]
      Common Mistakes:
      • Confusing groups with storage or servers
      • Thinking groups monitor network traffic
      • Believing groups are individual user accounts
      2. Which of the following is the correct way to add an IAM user named alice to a group named Developers using AWS CLI?
      easy
      A. aws iam add-group-to-user --group-name Developers --user-name alice
      B. aws iam attach-user-policy --user-name alice --policy-name Developers
      C. aws iam add-user-to-group --user-name alice --group-name Developers
      D. aws iam create-group --group-name Developers --user alice

      Solution

      1. Step 1: Recall AWS CLI command for adding user to group

        The correct command is aws iam add-user-to-group with parameters --user-name and --group-name.

      2. Step 2: Match command syntax with options

        aws iam add-user-to-group --user-name alice --group-name Developers matches the correct syntax exactly.

      3. Final Answer:

        aws iam add-user-to-group --user-name alice --group-name Developers -> Option C

      4. Quick Check:

        Correct CLI command = aws iam add-user-to-group --user-name alice --group-name Developers [OK]
      Hint: Use 'add-user-to-group' command with user and group names [OK]
      Common Mistakes:
      • Using 'attach-user-policy' instead of adding to group
      • Confusing 'create-group' with adding users
      • Reversing user and group parameters
      3. Given the following IAM group policy attached to group Admins: 
      {
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "*"
  }]
}
      If user bob is added to the Admins group, what permissions does bob have on S3?
      medium
      A. Full access to all S3 actions and resources
      B. Read-only access to S3 buckets
      C. No access to S3 unless user policy allows it
      D. Access only to S3 buckets created by bob

      Solution

      1. Step 1: Analyze the group policy permissions

        The policy allows all S3 actions (s3:*) on all resources (*), meaning full access.

      2. Step 2: Understand group membership effect

        User bob inherits all permissions from the Admins group.

      3. Final Answer:

        Full access to all S3 actions and resources -> Option A

      4. Quick Check:

        Group policy allows s3:* on * = full access [OK]
      Hint: s3:* on * means full S3 access [OK]
      Common Mistakes:
      • Assuming user needs separate policy for access
      • Thinking group policies restrict to created buckets
      • Confusing read-only with full access
      4. You tried to add user carol to group Managers using this command: 
      aws iam add-user-to-group --group-name Managers --user carol
      But it failed. What is the error in this command?
      medium
      A. The command should be 'aws iam add-group-to-user' instead
      B. The parameter should be --user-name, not --user
      C. The group name should be specified after --user-name
      D. The user name must be in quotes

      Solution

      1. Step 1: Check AWS CLI command syntax

        The correct parameter for specifying the user is --user-name, not --user.

      2. Step 2: Identify the error in the command

        Using --user causes the command to fail because it is invalid.

      3. Final Answer:

        The parameter should be --user-name, not --user -> Option B

      4. Quick Check:

        Correct parameter = --user-name [OK]
      Hint: Use --user-name, not --user, for specifying IAM user [OK]
      Common Mistakes:
      • Using incorrect parameter names
      • Swapping user and group parameters
      • Adding unnecessary quotes around names
      5. You want to create a secure setup where users in the Developers group can only start and stop EC2 instances, but not terminate them. Which IAM policy snippet attached to the group achieves this?
      hard
      A. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"], "Resource": "*" }] }
      B. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }] }
      C. { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:TerminateInstances", "Resource": "*" }] }
      D. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] }

      Solution

      1. Step 1: Understand required permissions

        Users should only start and stop instances, so allow only those actions.

      2. Step 2: Evaluate policy options

        { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] } allows only StartInstances and StopInstances. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }] } allows all EC2 actions, including terminate. { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:TerminateInstances", "Resource": "*" }] } denies terminate but does not allow start/stop explicitly. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"], "Resource": "*" }] } allows terminate, which is not desired.

      3. Final Answer:

        Policy allowing only start and stop EC2 instances -> Option D

      4. Quick Check:

        Allow only start/stop, no terminate = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] } [OK]
      Hint: Allow only needed actions, avoid wildcard ec2:* [OK]
      Common Mistakes:
      • Using ec2:* allows unwanted terminate action
      • Only denying terminate without allowing start/stop
      • Including terminate in allowed actions