In this recipe, we created groups from the console. We can also create groups from the CLI using the following command:

aws cognito-idp create-group 
    --group-name 'Admins' 
    --user-pool-id us-east-1_Q1cydt6I0 
    --description 'Admins Group' 
    --profile awssecadmin

We can add a user to a group from the CLI with the following command:

aws cognito-idp admin-add-user-to-group 
    --user-pool-id us-east-1_Q1cydt6I0 
    --username testuser4 
    --group-name Admins 
    --profile awssecadmin

We can list the groups for a user as follows:

aws cognito-idp admin-list-groups-for-user 
    --username testuser4 
    --user-pool-id us-east-1_Q1cydt6I0 
    --profile awssecadmin

This will give a response similar to the one shown here:

From the application, we can check for a user's groups and then provide special privileges.