Intro
- Global Service (IAM entities like roles can be used in any region without recreation)
- IAM Query API can be used to make direct calls to the IAM web service (using access key ID and secret access key for authentication)
- By default, IAM users do not have access to the AWS Billing and Cost Management console.
- The following policy types only limit permissions (cannot grant permissions)
- Service Control Policy (SCP)
- Permission Boundary
- SMS-based MFA is available only for IAM users, not for the root user.
Users & Groups
- Groups are collections of users and have policies attached to them
- Groups cannot be nested
- User can belong to multiple groups
- User doesn't have to belong to a group
- Root User has full access to the account
- IAM User has limited permission to the account
- You should log in as an IAM user with admin access even if you have root access. This is just to be sure that nothing goes wrong by accident.
- Only users and services can assume a role (not groups).
- A new IAM user created using the AWS CLI or AWS API has no AWS credentials.
<aside>
💡 IAM Groups cannot be identified as principal in an IAM policy.
</aside>
Policies