diff --git a/packages/amplify-e2e-tests/src/__tests__/auth/user-groups.test.ts b/packages/amplify-e2e-tests/src/__tests__/auth/user-groups.test.ts
index a263ae8979d..34f70fdea0c 100644
--- a/packages/amplify-e2e-tests/src/__tests__/auth/user-groups.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/auth/user-groups.test.ts
@@ -2,6 +2,7 @@ import {
   addAuthWithDefault,
   addAuthWithGroups,
   amplifyPushAuth,
+  amplifyPushNonInteractive,
   createNewProjectDir,
   deleteProject,
   deleteProjectDir,
@@ -9,7 +10,9 @@ import {
   getProjectMeta,
   initJSProjectWithProfile,
   updateAuthAddUserGroups,
+  updateHeadlessAuth,
 } from '@aws-amplify/amplify-e2e-core';
+import { UpdateAuthRequest } from 'amplify-headless-interface';
 
 const defaultsSettings = {
   name: 'authTest',
@@ -102,5 +105,54 @@ describe('user group tests', () => {
         expect(identityPoolRoles.RoleMappings[roleMapKeyWebClientId].Type).toEqual('Token');
       });
     });
+
+    describe('...updating headless to add a user pool group', () => {
+      it('...assigns authenticated roles for users added to user group', async () => {
+        await initJSProjectWithProfile(projRoot, defaultsSettings);
+        await addAuthWithDefault(projRoot);
+        await amplifyPushNonInteractive(projRoot);
+        const updateAuthRequest: UpdateAuthRequest = {
+          version: 2,
+          serviceModification: {
+            serviceName: 'Cognito',
+            userPoolModification: {
+              autoVerifiedAttributes: [
+                {
+                  type: 'EMAIL',
+                },
+              ],
+              userPoolGroups: [
+                {
+                  groupName: 'Admins',
+                },
+                {
+                  groupName: 'Users',
+                },
+              ],
+            },
+            includeIdentityPool: true,
+            identityPoolModification: {},
+          },
+        };
+
+        await updateHeadlessAuth(projRoot, updateAuthRequest);
+        await amplifyPushNonInteractive(projRoot);
+
+        const meta = getProjectMeta(projRoot);
+        const region = meta.providers.awscloudformation.Region;
+        const { AppClientID, AppClientIDWeb, IdentityPoolId, UserPoolId } = Object.keys(meta.auth)
+          .map((key) => meta.auth[key])
+          .find((auth) => auth.service === 'Cognito').output;
+
+        const identityPoolRoles = await getIdentityPoolRoles(IdentityPoolId, region);
+        const roleMapKeyClientId = `cognito-idp.${region}.amazonaws.com/${UserPoolId}:${AppClientID}`;
+        const roleMapKeyWebClientId = `cognito-idp.${region}.amazonaws.com/${UserPoolId}:${AppClientIDWeb}`;
+
+        expect(identityPoolRoles.RoleMappings[roleMapKeyClientId].AmbiguousRoleResolution).toEqual('AuthenticatedRole');
+        expect(identityPoolRoles.RoleMappings[roleMapKeyClientId].Type).toEqual('Token');
+        expect(identityPoolRoles.RoleMappings[roleMapKeyWebClientId].AmbiguousRoleResolution).toEqual('AuthenticatedRole');
+        expect(identityPoolRoles.RoleMappings[roleMapKeyWebClientId].Type).toEqual('Token');
+      });
+    });
   });
 });