Intro

• Global Service (IAM entities like roles can be used in any region without recreation)
• IAM Query API can be used to make direct calls to the IAM web service (using access key ID and secret access key for authentication)
• By default, IAM users do not have access to the AWS Billing and Cost Management console.
• The following policy types only limit permissions (cannot grant permissions)
  • Service Control Policy (SCP)
  • Permission Boundary
• SMS-based MFA is available only for IAM users, not for the root user.

Users & Groups

• Groups are collections of users and have policies attached to them
• Groups cannot be nested
• User can belong to multiple groups
• User doesn't have to belong to a group
• Root User has full access to the account
• IAM User has limited permission to the account
• You should log in as an IAM user with admin access even if you have root access. This is just to be sure that nothing goes wrong by accident.
• Only users and services can assume a role (not groups).
• A new IAM user created using the AWS CLI or AWS API has no AWS credentials.

<aside> 💡 IAM Groups cannot be identified as principal in an IAM policy.

</aside>

Policies