- IAM is universal - does not apply to a specific region
- A physical person
- Users have no permissions when first created
- Contains users
- Users should inherit permissions from groups
- Based on job functions
- Developer
- Administrator
- IAM policy documents should be applied to groups, not users
- Internal to AWS
- Allows one AWS resource to access another AWS resouce
- Only assign a user the minimm amount of privileges they need to do their job
-
Access Key/Secret Access Key
- Provides programmatic access to the AWS API, CLI, SDK and other development tools
- Not the same as username and password
- Only get to view these when the user is created.
- If you lose them, you will need to regenerate them, so save them in a secure location.
-
Password
- Enables a user to use a password to login to the AWS console
- You can create and customize password rotation policies
- Using an existing user account and credentials (usually Active Directory) to login to AWS.
- Uses SAML standard (Active Directory)