AWS Identity and Access Management securely manages identities and access to AWS services and resources. With IAM, by default, all actions are denied. You must explicitly grant permission to someone before they can perform any actions in your account.
When you grant permissions, you should provide access only on a need-to-have basis. This concept is called the principle of least privilege.
The principle of least privilege dictates that you should only give people and systems access to what they need and nothing else.
AWS IAM Identities.md/png-20250818093633697.png)
- Root User
- account owner; has access to all
- Users
- a person or application that interacts with AWS.
- consists of a name and credentials.
- Groups
- a collection of IAM users.
- when you assign permissions to a group, all users in the group inherit the permissions.
- Roles
- an IAM role is an identity you can assume to gain temporary access to permissions.
An IAM Policy is a JSON document that allows or denies permission to access AWS services and resources. It can also define the level of access to resources - for example, allow employees to access all S3 buckets or only a specific bucket.