Exam AWS Certified Cloud Practitioner CLF-C02 topic 1 question 216 discussion

IAM user groups allow you to group users with similar job roles or responsibilities together. Instead of managing individual user permissions, you can assign IAM policies to these groups. When an employee changes teams or job roles, you can simply add or remove them from relevant user groups, and the permissions associated with the group will be applied automatically to the user.

IAM roles are the most suitable resource for managing permissions in a scenario where employees frequently change teams and have different job roles and responsibilities. IAM roles allow you to define a set of permissions and policies and then assign those roles to users or AWS services as needed. This way, you can grant temporary access based on the user's current job responsibilities, and the users do not have to be directly assigned specific permissions. IAM user groups (option A) are typically used to simplify the management of permissions for sets of users who share common job responsibilities. However, roles provide more flexibility in dynamic scenarios where users move between teams.

IAM user groups allow you to group users with similar job roles or responsibilities together. Instead of managing individual user permissions, you can assign IAM policies to these groups. When an employee changes teams or job roles, you can simply add or remove them from relevant user groups, and the permissions associated with the group will be applied automatically to the user. upvoted 12 tim

Both Microsoft Azure AD and AWS Cloud are similar in terms of grouping. Policies can only exist in grouping from my experience in IT.

IAM roles are great for granting temporary permissions or cross-account access, they are not meant for day-to-day management of user permissions directly.

A. IAM User Groups - allows you to assign users to groups based on their job role. Then you can assign specific permissions to that group and modify as needed. If the user changes job roles, simply move them to a different group.

A IAM user groups allow you to organize users based on job roles or teams and assign common permissions to all members of the group. This minimizes operational overhead because you only need to manage permissions at the group level. When employees change teams, you simply move them from one group to another. The permissions attached to the groups (via IAM roles or policies) automatically apply to the users.

Users: End User (Think People). Groups: A collection of users under one set of permissions (permission as policy). As per IAM standards we create groups with permissions and then assign user to that group. Role: you create roles and assign them to AWS resource (AWS resource example can be a customer, supplier, contractor, employee, an EC2 instance, some external application outside AWS) but remember you can't assign role to user.

IAM User groups make more sense. The company has teams or "Groups" with different job roles, and often, employees jump to other teams. They want to know which will have the least operational overhead. Changing a user to a different group will grant them that team's current access.

The correct answer is: B. IAM roles Explanation: IAM roles allow you to delegate permissions that determine what the identity can and cannot do in AWS. You can use roles to delegate permissions to users, applications, or services that don't normally have access to your AWS resources. By using IAM roles, the company can easily manage permissions even when employees change teams, reducing operational overhead.

IAM user roles are used to group users with the same role, note the keyword here is "different roles" so the answer is B

B. IAM roles. IAM roles are designed for granting temporary access to users or applications. They can be assigned to IAM users or AWS services, and permissions are assigned to the role rather than individual users. This means that when an employee changes teams, you can simply assign them a different role with the appropriate permissions for their new responsibilities, without having to modify individual user permissions or create new user groups. This flexibility reduces operational overhead.

IAM User Groups is the correct answer. IAM Roles are intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. We want these users to normally have access to the resources that fit their current job description, hence why IAM Groups are better. IAM Groups: An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. Sources: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

A is the right answer. We are talking about the team members and permissions which is related to Users & Groups.

B is Correct

IAM Roles, the official course suggest it

IAM Role User Groups are not the least operational overhead