IAM Groups

An AWS exam scenario asks a new developer to log into the AWS Management Console using the credentials of an IAM Group. What is true regarding this scenario?

A) This is possible if the group has MFA explicitly enabled.
B) IAM groups do not have their own credentials, therefore they cannot be logged into.
C) Group login is only supported via the AWS CLI, not the Management Console.
D) This is only possible if the group is nested inside the native "All Users" group.
E) A special IAM Role must be created to facilitate group login.
F) It is natively allowed but violates AWS security best practices.

Correct Answer: B - IAM groups do not have their own credentials, therefore they cannot be logged into.

What is the maximum number of IAM users that can be placed inside a single IAM group?

A) Maximum 10 users per group.
B) Maximum 300 users per group.
C) Maximum 5,000 users per group.
D) There is no limit; you can place all the users in your account into a single group.
E) Maximum 1,000 users per region.
F) Groups contain IAM Roles, not IAM Users.

Correct Answer: D - There is no limit; you can place all the users in your account into a single group.

You manage an enterprise AWS account and want to create two sub-groups ("Frontend" and "Backend") inside a parent "Developers" IAM group. What is the AWS rule regarding this?

A) You must raise a support ticket to enable nested groups in your account.
B) IAM groups cannot be nested; you cannot place groups inside other groups.
C) Nested groups are allowed, but strictly limited to a maximum of 3 levels deep.
D) Sub-groups automatically override the permissions of the parent group.
E) This architectural pattern is only possible using AWS IAM Identity Center (SSO).
F) Creating nested groups allows you to bypass the limit of 10 groups per user.

Correct Answer: B - IAM groups cannot be nested; you cannot place groups inside other groups.

Sally is a member of both the "Developers" and "QA" IAM groups. The "Developers" group allows access to an S3 bucket, the "QA" group denies access to it, and Sally's direct inline policy allows access. What is the final evaluation result?

A) Access is allowed because direct inline policies have higher priority than group policies.
B) Access is denied because an Explicit Deny always overrides an Explicit Allow, regardless of the source.
C) Access is allowed because two Allows override one Deny by majority rule.
D) Access is denied because an Implicit Deny is the default behavior.
E) AWS will throw a compilation error because overlapping policies are not permitted.
F) Access is partially allowed for read-only operations.

Correct Answer: B - Access is denied because an Explicit Deny always overrides an Explicit Allow, regardless of the source.

You want to grant the "Developers" IAM group access to an S3 bucket by referencing the group as a Principal in the bucket's resource-based policy. What is the architectural flaw in this design?

A) S3 buckets only support inline policies, not resource-based policies.
B) IAM groups are not true identities; therefore, they cannot be referenced as a Principal in a resource policy.
C) To be used as a Principal, the IAM group must be assigned a globally unique ARN.
D) There is no flaw; this is a completely valid and recommended architectural pattern.
E) The group must first assume an IAM Role before it can be referenced in an S3 policy.
F) S3 bucket policies only accept IP addresses as Principals, not AWS IAM entities.

Correct Answer: B - IAM groups are not true identities; therefore, they cannot be referenced as a Principal in a resource policy.

Which statement is TRUE regarding the native "All Users" group in AWS IAM?

A) It is automatically generated when an AWS account is created and cannot be deleted.
B) The standard limit of 5,000 IAM users does not apply to this specific group.
C) AWS IAM does not natively provide an "All Users" group; you must manually create and manage it.
D) The "All Users" group can only be accessed and modified by the AWS root user.
E) It is a specialized group used exclusively for managing cross-account access federation.
F) Policies attached to this group overrule all other individual or group policies in the account.

Correct Answer: C - AWS IAM does not natively provide an "All Users" group; you must manually create and manage it.

According to standard AWS account limits, what is the maximum number of IAM groups a single IAM user can be a member of concurrently?

A) 5
B) 10
C) 50
D) 100
E) 300
F) Unlimited

Correct Answer: B - 10

What is the primary architectural purpose of utilizing AWS IAM Groups?

A) To provide temporary security credentials and facilitate cross-account access.
B) To establish secure encrypted communication channels between applications and services.
C) To efficiently organize large sets of IAM users, making it easier to manage and assign policies.
D) To manage AWS billing structures and enforce cost allocation tags.
E) To distribute resource-based policies efficiently between S3 buckets and EC2 instances.
F) To authenticate external users logging in via Identity Federation mechanisms.

Correct Answer: C - To efficiently organize large sets of IAM users, making it easier to manage and assign policies.

Which specific entities can be contained as members within an AWS IAM Group?

A) IAM Users and IAM Roles.
B) Only IAM Users.
C) IAM Users and other IAM Groups (Nested groups).
D) AWS Resources (such as EC2 instances) and IAM Users.
E) Only the AWS Root User and IAM Roles.
F) IAM Users, IAM Roles, and AWS Managed Policies.

Correct Answer: B - Only IAM Users.

An administrator currently has 300 IAM groups in their AWS account and needs to create one more functional group. What must the administrator do in this situation?

A) Nothing, as 300 is a hard limit and no further groups can be created.
B) Simply create it, because the limit for IAM groups is 5,000 per account.
C) Raise a support ticket with AWS to increase the soft limit of 300 groups.
D) Nest the new group inside an existing group to conserve the group quota.
E) Provision the new IAM group in a different AWS region to bypass the limit.
F) Delete the default "All Users" group to free up space for the new functional group.

Correct Answer: C - Raise a support ticket with AWS to increase the soft limit of 300 grou