Questions 64 and 65

Question 64

A new department will begin using AWS services and an AWS account. A solutions architect needs to create an authentication and authorization strategy. Select the correct statements regarding IAM groups? (Select TWO)

1. IAM groups can be used to assign permissions to users.
2. IAM groups can be nested up to four levels.
3. IAM groups can be used to group EC2 instances.
4. IAM groups can temporarily assume a role to take on permissions for a specific task.
5. An IAM group is not an identity and cannot be identified as a principal in an IAM policy.

Correct Answer: 1, 5

Explanation: An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. The following facts apply to IAM groups:

• Groups are collections of users and have policies attached to them.
• A group is not an identity and cannot be identified as a principal in an IAM policy.
• Use groups to assign permissions to users.
• IAM groups cannot be used to group EC2 instances.
• Only users and services can assume a role to take on permissions (not groups).

CORRECT: “IAM groups can be used to assign permissions to users.” is a correct answer.

INCORRECT: “IAM groups can be nested up to four levels.” is incorrect as this is not possible.

INCORRECT: “IAM groups can be used to group EC2 instances.” is incorrect as they can only be used to group user accounts.

INCORRECT: “IAM groups can temporarily assume a role to take on permissions for a specific task.” is incorrect as this is not possible.

CORRECT: “An IAM group is not an identity and cannot be identified as a principal in an IAM policy.” is also a correct answer.

References: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html