Security and billingIntermediate29 min read

What Is IAM group? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An IAM group is like a folder for user accounts in a cloud system. Instead of giving permissions to each person one by one, you put them in a group and give permissions to the whole group. Everyone in the group automatically gets the same access rights. This makes managing users much easier and reduces mistakes.

Commonly Confused With

IAM groupvsIAM role

An IAM group is a static container for IAM users that grants them long-term permissions using standard API keys. An IAM role is a temporary identity that can be assumed by users, services, or federated identities, providing temporary credentials. Roles are used for cross-account access and for services that need to access AWS resources, while groups are for internal user management within an account.

A group is like a permanent badge for an employee. A role is like a temporary visitor badge that expires after a few hours.

IAM groupvsIAM user

An IAM user is a single identity with long-term credentials (password and access keys). It represents a single person or application. An IAM group is not an identity itself, but a collection of users. You cannot log in as a group; you log in as a user. Groups only manage permissions.

A user is like an individual employee. A group is like the department that employee belongs to.

IAM groupvsPermission set

Permission sets are a feature of AWS IAM Identity Center (formerly AWS SSO). They allow you to define a collection of policies that can be assigned to users across multiple AWS accounts. Unlike IAM groups, which are per-account, permission sets are used in a multi-account environment and can grant different levels of access in different accounts.

An IAM group is for one office (one AWS account). A permission set is for a franchise chain (multiple AWS accounts) where you define the access rules for each franchise location.

IAM groupvsOrganizational unit (OU) in Active Directory

An OU is a container in Active Directory that can hold users, groups, computers, and other objects. It is primarily used for organizational structure and applying Group Policy Objects (GPOs). IAM groups in the cloud are purely for permission management and lack the granular policy application capabilities of OUs.

An OU is like a department folder in a company org chart that also has rules about what software you can install. An IAM group is just a list of people who share the same access badge.

IAM group appears directly in 8exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →

Must Know for Exams

IAM groups are a core topic in many cloud and security certification exams, though the depth and context vary significantly by exam. For the AWS Cloud Practitioner exam, you need to understand that groups are a feature of IAM used to manage permissions for multiple users. You should know that groups cannot be nested and that policies attached to groups apply to all members. Questions often ask about the difference between users, groups, and roles. For AWS Developer Associate and AWS Solutions Architect exams, groups appear in more complex scenarios. You might need to choose between using a group versus an IAM role for granting permissions to a set of users. The exam may test whether a group can be used for cross-account access? it cannot. You may also see questions about group limits and how to handle more than 300 groups.

For the Microsoft Azure exams, such as AZ-900 Azure Fundamentals, AZ-104 Azure Administrator, and SC-900 Security Compliance and Identity, groups are deeply integrated. You need to understand the difference between security groups and Microsoft 365 groups. Dynamic groups and nested groups are commonly tested. In AZ-104, you might be asked how to automatically add users to a group based on their job title using dynamic membership rules. You also need to know that Azure groups can be used for both access management and distribution lists. The exam may present a scenario where you need to assign permissions to all users in a department, and the correct answer is to use a security group.

For Google Cloud exams like Google ACE and Google Cloud Digital Leader, groups are called Google Groups and are used in Cloud IAM. You need to understand that you can assign roles to groups at the organization, folder, or project level. The exams test whether you know that groups can contain other groups and that permissions inherit. They also test that you cannot assign a role directly to an external user without a group in some scenarios.

For CompTIA Security+ and CySA+, groups are covered under identity and access management. You should know that groups simplify administration and that RBAC relies on group membership. Questions might ask which access control model uses groups, or how to manage permissions for a large number of users. For ISC2 CISSP, groups are a fundamental part of the Identity and Access Management domain. You need to understand group types like security groups, distribution groups, and nested groups in Active Directory. The exam may present a scenario where you need to implement a least privilege model using groups.

For MD-102 and MS-102 Microsoft Endpoint and 365 administration exams, groups in Azure AD are key. You need to know how to create, manage, and delete groups, and how to use dynamic groups for automatic membership. The exams may test the difference between assigned and dynamic groups.

In general, exam questions about IAM groups fall into several categories: definition and purpose, comparison with roles and users, limitations, best practices, and troubleshooting. You must know that groups are not principals in AWS but are in Azure. You must know that groups cannot be used to grant cross-account access in AWS. You must know that dynamic groups in Azure have delays. Mastery of groups is essential to pass these exams.

Simple Meaning

Think of an IAM group as a team badge in an office building. In a company, you might have different teams: sales, engineering, HR, and so on. Each team has its own badge that opens certain doors. The sales team badge opens the sales meeting room and the customer database door. The engineering badge opens the server room and the code repository door. When a new salesperson joins, you don't create a brand new badge from scratch for that one person. Instead, you just give them a sales team badge. They immediately get access to everything the sales team needs.

Now, imagine what happens if you manage each person separately. You would have to remember every door each salesperson needs to access. If you hire ten salespeople, you configure access ten times. If one salesperson leaves, you have to remember to remove their access to all those doors. This is tedious and risky. One mistake could leave a former employee with access to sensitive data.

An IAM group solves this mess. In cloud computing, an IAM group is a container for user accounts. You create a group called "SalesTeam" and attach a permission policy to it. The policy says, "Allow access to the customer database and the sales reports folder." Then you add all the sales users to the group. When a new salesperson joins, you simply add their user account to the group. They instantly get the correct permissions. When someone leaves, you remove their account from the group. Their access is revoked automatically. You never have to touch individual permissions.

Groups can also be nested in some systems? Generally, most cloud providers do not allow nesting groups within groups to keep things simple and avoid circular dependencies. But you can have multiple groups for different roles. For instance, a user might belong to both the "Developers" group and the "ProjectX" group. The permissions from both groups combine. This is called group membership aggregation.

IAM groups are not about authentication? They are about authorization. That means they do not control who can log in. They control what a logged-in user can do. The group itself has no credentials. It is purely a management convenience. In most major cloud platforms? AWS, Azure, Google Cloud, and even identity systems like Active Directory use groups to manage permissions at scale. Without groups, managing hundreds or thousands of users would be a nightmare. That is why the IAM group is a fundamental building block of secure and efficient identity management.

Full Technical Definition

An IAM group is a logical container within an Identity and Access Management system that holds multiple IAM users. It serves as a target for attaching identity-based policies. When a policy is attached to a group, that policy applies to all members of the group. This mechanism enables the principle of least privilege at scale because administrators can assign a single set of permissions to a role-based collection of users.

In AWS Identity and Access Management (IAM), a group is not a true identity. It cannot be authenticated. It has no credentials. It is not a principal in AWS policy evaluation. Only users and roles can be principals. The group is purely an administrative boundary. You can create a group, attach managed policies or inline policies to it, and then add users to it. The maximum number of groups per AWS account is 300, and each group can have up to 5000 users. You cannot nest groups in AWS. This limitation exists to avoid complex permission evaluation chains.

In Azure Active Directory (now Microsoft Entra ID), the concept is expanded. Azure has security groups and Microsoft 365 groups. Security groups can contain users, devices, service principals, or other groups. Azure does allow nested groups, but there are limits on nesting depth? usually up to 10 levels. Permissions are transitive, meaning a user in a nested group inherits permissions from all parent groups. Azure also has dynamic groups that automatically add or remove members based on rules, such as "department equals Sales." This is particularly useful for large enterprises with frequent personnel changes.

In Google Cloud Platform (GCP) Cloud IAM, groups are called Google Groups. They work similarly. You create a Google Group, assign an IAM role to it at the project or organization level, and then add members to the group. GCP also supports nested groups, but the permissions are not transitive by default for all role types. You need to understand how role inheritance works across hierarchies. GCP's IAM system evaluates permissions based on the effective policy, which includes policies attached to users, groups, and even service accounts.

From a technical implementation perspective, IAM groups rely on a directory service backend. In AWS, the backend is the global IAM service. In Azure, it is Microsoft Graph. In GCP, it is the Cloud Identity API. When a user makes an API call, the authorization engine checks all policies attached to the user and all groups the user belongs to. It evaluates the policies to determine if the action is allowed or denied. An explicit deny always overrides an allow. So if a user is in two groups, one allowing access and one denying access, the deny wins.

Group membership changes propagate at different speeds depending on the system. In AWS, propagation is near-instantaneous because IAM is a global service. In Azure, changes can take up to 30 minutes to fully propagate due to caching in Microsoft Graph. This is an important consideration for security-sensitive scenarios where immediate revocation is required.

Cross-account access using groups is a common exam topic. In AWS, you cannot directly give a group in one account access to resources in another account. Instead, you use cross-account roles. The group can be used to allow user to assume a role in the target account. In Azure, you can assign a group access to resources in another tenant if the group is a guest user, but this is more complex. Understanding these boundaries is critical for exam success.

From a security best practice perspective, you should always use groups rather than attaching policies directly to individual users. Direct attachment leads to permission sprawl. If a user changes roles, you have to update their policies, which is error-prone. With groups, you simply move the user from one group to another. This aligns with the principle of role-based access control (RBAC).

IAM groups also simplify auditing. When you review permissions for a team, you look at the policies attached to the group, not each individual user. This makes compliance audits easier. CloudTrail logs in AWS will show which user performed an action, but the group membership is not directly logged in the event. You need to call the IAM API to check group membership at a point in time.

Finally, IAM groups have limits. In AWS, you have a quota of 300 groups per account. If you exceed that, you need to redesign your permission structure, possibly using attribute-based access control (ABAC) which uses tags instead of groups. Groups are best for stable roles with many users. For granular, dynamic permissions, other mechanisms like permission sets or ABAC may be more appropriate.

Real-Life Example

Imagine you run a large hospital. The hospital has many departments: doctors, nurses, administration, lab technicians, and IT support. Each department needs access to different parts of the hospital and different systems. A doctor needs access to patient records and the medication database. A nurse needs access to patient records but maybe not the full medication database. An admin person needs access to billing and scheduling. An IT person needs access to servers and network equipment.

If you managed access by individually programming each employee's ID badge, it would be a disaster. You would have to sit down with every new doctor and configure their badge to open the patient record door, the medication room, the doctor lounge, and so on. If a doctor turned into a part-time administrator, you would have to reprogram their badge. If a nurse left, you would have to remember all the doors they accessed and revoke each one. The risk of leaving a door unlocked is high.

Instead, you create group badges. You create a "Doctor" badge template. That template opens all the doors a doctor needs. When you hire a new doctor, you simply issue them a copy of the Doctor badge. That's it. The new doctor can immediately access the patient records and medication database. If a doctor moves to administration, you give them a new badge with the "Administration" permissions. The old Doctor badge is deactivated. If a nurse leaves, you just deactivate their badge. You don't need to check which specific doors they had access to.

Now, map this to IAM groups. The badge template is the IAM group. The physical doors are cloud resources like databases, storage buckets, or virtual machines. The badge's opening capabilities are the IAM policies attached to the group. The individual employee is the IAM user. The act of issuing a badge is adding the user to the group. The act of deactivating a badge is removing the user from the group.

In this hospital analogy, you could also have a situation where a person needs access from multiple departments. For example, a doctor who also oversees IT might need both Doctor and IT badges. In IAM, a user can belong to multiple groups. Their effective permissions are the union of all policies from all groups they belong to. But remember the deny rule? If one group says "Deny access to patient records" and another says "Allow access to patient records," the deny wins. That keeps things safe.

Groups also help with compliance. If the hospital needs to prove that all nurses have the correct level of access, you can look at the Nurse group policy. You don't have to inspect each nurse's individual permissions. That is a massive time saver.

The analogy breaks down a bit because in the cloud, groups are virtual and changes propagate instantly or within minutes. In a hospital, you might need to physically print a new badge. But the core principle is exactly the same: groups simplify managing many users by assigning permissions once to a group and then managing membership.

Why This Term Matters

IAM groups matter because they are the primary mechanism for managing permissions at scale in cloud environments. Without groups, administrators would have to attach policies to each individual user. This approach quickly becomes unmanageable as an organization grows. With hundreds or thousands of users, manual per-user permission management leads to configuration drift, where users accumulate permissions over time and no one knows exactly who has access to what. This is a direct security risk.

Groups enforce the principle of least privilege in a sustainable way. When you create a group for a specific job function, you can carefully craft a policy that grants only the permissions required for that role. Then you add users to the group. You never need to grant extra permissions to an individual because the group already covers their needs. If a new type of access is needed for a role, you update the group policy once, and all members automatically get the new access or lose access immediately. This reduces human error.

Groups also simplify onboarding and offboarding. When a new employee joins, you create their user account and add them to the appropriate groups. Within minutes, they have the correct access without any custom configuration. When an employee leaves, you delete their user account, and all group memberships are automatically terminated. You don't have to worry about lingering permissions from manually attached policies.

In terms of cost management, groups help indirectly. By controlling access to expensive resources, you can prevent accidental cost overruns. For example, only the DevOps group might have permission to launch large EC2 instances. This prevents other teams from inadvertently spinning up costly resources.

For compliance and auditing, groups are essential. Auditors want to see that access control is role-based and that permissions are not granted ad hoc. Groups provide a clear structure. You can show that the "Finance" group has read-only access to the billing bucket, and that only members of the finance team are in that group. This satisfies many compliance frameworks like SOC 2, ISO 27001, and HIPAA.

Finally, groups are a fundamental concept in all major cloud platforms and identity systems. Understanding groups is prerequisite knowledge for many certification exams. If you don't grasp how groups work, you will struggle with more advanced topics like IAM roles, policies, and resource-based policies. In short, IAM groups are the building blocks of cloud security.

How It Appears in Exam Questions

IAM group questions appear in multiple formats across exams. The most common type is the "best practice" question. For example: A company has 50 employees who need identical permissions to access an S3 bucket. What is the most secure and efficient way to grant these permissions? The correct answer is to create an IAM group, attach an S3 access policy to the group, and add the 50 users to the group. Distractors might include attaching a policy to each user individually or using an IAM role with a trust policy.

Another common question type is the "limitations" question. For example: Your AWS account currently has 300 IAM groups. You need to create another group for a new project. What should you do? The correct answer is to request a service quota increase or redesign your group structure. Because AWS has a default limit of 300 groups per account. Distractors might suggest creating a new user or using an IAM role instead.

The "cross-account access" scenario is also frequent. Example: You need to grant users in Account A access to resources in Account B. Which option is valid? The correct answer is to create an IAM role in Account B with a trust policy allowing users from Account A to assume it. You cannot use a group for this. Many students mistakenly think a group can be given cross-account permissions, but that is not supported.

In Azure exams, you might see a scenario like: Your company has 200 users in the Sales department and 150 in Marketing. The Sales users need access to a CRM application, and Marketing needs access to an analytics tool. Users often change departments. What is the best approach? The correct answer is to create two security groups? SalesGroup and MarketingGroup. Use dynamic membership based on the department attribute. Assign the appropriate application permissions to each group. Then users are automatically added or removed when their department changes.

Another question format tests knowledge of nested groups. For example: In Azure AD, you have a group called Engineering with a policy attached. You create a sub-group called SoftwareEngineers and add it as a member of Engineering. Will the SoftwareEngineers members inherit the Engineering policy? Answer: Yes, because Azure AD supports nested groups and permission inheritance.

Troubleshooting questions also appear. Example: A user in an IAM group cannot perform an action that the group policy allows. What could be the issue? Possible answers: The user belongs to another group that denies the action (explicit deny overrides allow), the policy is not attached correctly, or the user has a separate inline policy that denies the action. These questions test your understanding of policy evaluation logic.

Finally, there are questions that compare IAM groups to IAM roles. Example: What is the primary difference between an IAM group and an IAM role? The correct answer is that an IAM group is a container for users, while an IAM role is an identity that can be assumed by users or services. Groups cannot have temporary credentials. Roles provide temporary credentials. Groups are for long-term assignments; roles are for short-term, cross-account, or service access.

Practise IAM group Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: Acme Corp is a growing company with 200 employees. They use AWS for their cloud infrastructure. The company has three departments: Sales, Engineering, and HR. The Sales team needs read-only access to the customer database in DynamoDB. The Engineering team needs full access to EC2 instances and S3 buckets used for development. The HR team needs read-only access to the employee records stored in a private S3 bucket.

Currently, the system administrator has been creating each user and attaching policies manually. This has become a mess. When a new salesperson joined last week, the admin forgot to attach the DynamoDB read policy, so the user could not access the database all day. When an engineer left, the admin had to manually check and revoke all their permissions, and they missed one policy, leaving the former employee with access to a sensitive S3 bucket. The admin is overwhelmed.

Solution: The admin decides to use IAM groups. They create three groups: SalesGroup, EngineeringGroup, and HRGroup. For SalesGroup, they attach an AWS managed policy called AmazonDynamoDBReadOnlyAccess. For EngineeringGroup, they attach AmazonEC2FullAccess and AmazonS3FullAccess. For HRGroup, they create a custom policy that grants read-only access to the specific S3 bucket containing employee records. Then they add all current users to their respective groups. From now on, when a new employee joins, the admin simply creates their IAM user and adds them to the appropriate group. When an employee leaves, the admin deletes the user or removes them from the group. Permissions are automatically applied or revoked.

This new approach saves time, reduces errors, and makes audits easy. The admin can now prove that only salespeople can read the customer database, only engineers can manage EC2 instances, and only HR can view employee records. The company's security posture improves dramatically.

This scenario illustrates the core benefit of IAM groups: centralized, role-based permission management that scales with the organization.

Common Mistakes

Attaching a policy directly to an IAM user instead of using a group.

This leads to permission sprawl. Each user has unique permissions, making it hard to audit and manage. When the user changes roles, you must manually update their policies instead of just moving them between groups.

Always create groups based on job functions. Attach policies to the group and add users as members. This centralizes permission management.

Trying to use an IAM group for cross-account access in AWS.

IAM groups are always within a single account. They cannot be referenced in a trust policy in another account. This is a common exam trap. Groups are not principals in AWS policy evaluation.

Use an IAM role with a trust policy that allows users from the source account to assume the role. The role can then be used in the target account.

Assuming that changes to group membership take effect immediately in all systems.

In AWS, changes are near-instant, but in Azure, group membership changes can take up to 30 minutes to propagate due to caching. In GCP, propagation time can also be minutes. Relying on immediate revocation can leave a security gap.

Understand the propagation delay for the specific cloud provider. For critical changes, consider additional controls like immediate user account disablement or using roles with short-term credentials.

Creating too many groups and nesting them unnecessarily.

In AWS, you cannot nest groups, and there is a limit of 300 groups per account. In Azure, while nesting is allowed, too many levels can make permission evaluation complex and hard to troubleshoot. It also increases management overhead.

Keep group structures flat and lean. Use groups for stable job functions. For granular, dynamic permissions, consider attribute-based access control (ABAC) or use roles instead of nested groups.

Assigning both an allow and a deny policy to a group that causes unintended conflicts.

If a group has an inline policy that denies an action and a managed policy that allows it, the deny wins. This can cause users to lose access unexpectedly. Also, if a user belongs to multiple groups with conflicting policies, the net effect can be confusing.

Use the principle of least privilege and avoid attaching conflicting policies to the same group. Use managed policies that are well-defined. When using multiple groups, be aware of the policy evaluation logic.

Not using groups for service accounts or application users.

Some administrators think groups are only for human users. Service accounts (IAM users used by applications) should also be managed using groups for consistency. This makes it easier to update permissions for all applications that need a particular access pattern.

Treat service accounts the same as human users. Create groups for application roles and add the corresponding IAM users to those groups.

Exam Trap — Don't Get Fooled

{"trap":"Assuming that an IAM group can be used as a principal in a resource-based policy in AWS.","why_learners_choose_it":"Learners often think that since groups contain users, you can reference the group ARN in a bucket policy or a resource-based policy. They have seen users referenced in policies and mistakenly extend that to groups."

,"how_to_avoid_it":"Remember that in AWS IAM, groups are not valid principals. Only users, roles, service principals, and federated users can be principals. To give a group of users access to a resource, you either attach a policy to the group that allows access to the resource, or you use a role that the users can assume.

Never reference a group ARN in a resource-based policy."

Step-by-Step Breakdown

1

Plan your group structure

Define the job functions in your organization. For each function, determine what cloud resources they need and what actions they should be allowed to perform. For example, developers need access to code repositories and test environments. This planning ensures that you create groups aligned with the principle of least privilege.

2

Create the IAM group

Access the IAM console or use the CLI to create a new group. Give it a descriptive name that reflects the job function, such as 'Developers' or 'HRReadOnly'. In AWS, groups are created within your account and are not global across accounts. In Azure, groups are created in Azure AD.

3

Attach permissions policies to the group

Select one or more policies to attach to the group. These policies define what actions are allowed or denied. You can use managed policies (pre-built by the cloud provider) or create custom policies. Attach the policies that match the job function of the group. This step is crucial because the policies determine the group's access.

4

Add IAM users to the group

Once the group is created and policies are attached, add the relevant IAM users to the group. You can add one user at a time or add multiple users if the console supports bulk actions. When a user is added, they immediately receive the permissions defined by the group's policies (subject to propagation delays).

5

Test the permissions

As a best practice, test that the group members have the intended access. Sign in as a test user who belongs to the group and attempt to perform actions that should be allowed and denied. This verifies that the policy is correctly configured. This step helps catch mistakes before they affect real users.

6

Manage group membership over time

As employees join, leave, or change roles, update group membership accordingly. Add new users to the appropriate groups. Remove users who leave or change roles. This is the ongoing administration that groups simplify. In Azure, you can use dynamic groups to automate this based on user attributes.

7

Audit and review group permissions periodically

Regularly review the policies attached to each group and the membership list. Check if the permissions are still appropriate for the job function. Use tools like IAM Access Analyzer in AWS or Azure AD access reviews to identify unused or excessive permissions. This ensures that the principle of least privilege remains in effect.

Practical Mini-Lesson

Let's look at how IAM groups work in practice, focusing on AWS because it is the most common platform for certification exams. When you create an IAM group in AWS, you are using the global IAM service. This means your groups are available across all regions. However, groups are tied to a single AWS account. You cannot share a group across accounts. This is a key limitation.

The process of creating a group is straightforward. In the AWS Management Console, you navigate to IAM, then Groups, then Create New Group. You give the group a name. AWS recommends using a naming convention like 'Department-Role', for example 'Engineering-ReadOnly'. Then you attach policies. You can attach AWS managed policies like 'AmazonS3ReadOnlyAccess' or custom policies. You can attach up to 20 policies per group, but this is a soft limit.

Once the group is created, you add users. Each user can be a member of up to 10 groups. This is important: when a user belongs to multiple groups, the effective permissions are the union of all policies from all groups, evaluated together. Remember the policy evaluation logic: explicit deny always wins. So if one group has an allow for s3:GetObject and another group has a deny for the same action, the deny prevails.

What professionals need to know: Groups are not just for users. You can also add IAM roles to a group? No, you cannot. Groups can only contain IAM users. This is different from Azure AD, where groups can contain other groups or devices. In AWS, groups are flat. If you need more complex structures, you need to use roles or ABAC.

Common pitfalls in practice: One issue is using groups for service accounts. Service accounts (IAM users used by applications) should also be put into groups. But some administrators create individual policies for each service account, which defeats the purpose. Always use groups even for service accounts.

Another practical consideration is the use of inline policies vs. managed policies. Managed policies are reusable across groups and accounts, making maintenance easier. Inline policies are unique to the group and harder to audit. Best practice is to use managed policies whenever possible.

What can go wrong: A user might have too many group memberships. Since a user can be in up to 10 groups, and each group can have multiple policies, the effective policy size can become large. This can cause performance issues in policy evaluation, though it's rare. More commonly, it becomes difficult to reason about why a user has certain permissions. This is called the 'group explosion' problem.

To mitigate this, you should design your group hierarchy carefully. Use a minimal number of groups. If you need granularity, consider using resource-based policies or ABAC tags. For example, instead of having separate groups for each S3 bucket, you can attach a single policy to the group that allows access to resources with specific tags, and then tag the resources accordingly.

Finally, remember that IAM groups do not provide any authentication. They are purely authorization. You cannot set a password for a group. You cannot create access keys for a group. The group itself cannot perform any actions. It's just a container. This is a fundamental concept that many beginners confuse.

practical use of IAM groups requires careful planning, proper naming conventions, regular audits, and understanding of limits. Used correctly, groups are a powerful tool for scalable permission management.

Memory Tip

Think 'Group = Badge' – You attach policies (door access) to the badge, not to the person. Clip the badge onto each user as they join.

Learn This Topic Fully

This glossary page explains what IAM group means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can an IAM user belong to multiple groups?

Yes, in AWS a user can belong to up to 10 groups. The permissions from all groups are combined. However, if there is a conflict, an explicit deny in any group overrides an allow.

Can I use an IAM group to grant cross-account access in AWS?

No, IAM groups are specific to a single AWS account and cannot be referenced in policies in other accounts. Cross-account access requires IAM roles with a trust policy.

What is the difference between an IAM group and an IAM role?

An IAM group is a static container for users that gives them long-term permissions. An IAM role is a temporary identity that can be assumed by users or services, providing temporary credentials. Roles are used for cross-account access and for services.

Does Azure AD support dynamic groups?

Yes, Azure AD supports dynamic groups that automatically add or remove members based on user attributes like department or job title. This is useful for large organizations with frequent changes.

Can I nest IAM groups in AWS?

No, AWS does not support nested groups. Each group can contain only IAM users, not other groups. Azure AD does support nested groups up to 10 levels deep.

How quickly do changes to group membership take effect?

In AWS, changes are near-instantaneous. In Azure, changes can take up to 30 minutes to propagate due to caching. In GCP, propagation can take minutes. Always account for delays in security-sensitive operations.

What is the maximum number of IAM groups per AWS account?

The default limit is 300 groups per AWS account. You can request a service quota increase if needed.