IAM & AWS CLI

IAM: users and groups

Identity and access management, it is also a global service because it is needed in order to start up your AWS console after all if it is only available in one particular region then other region would not be able to work at all!

Root account is created by default when you register for an AWS account. They should not be used or shared. Only used for making other account with permissions because root account has access to everything.

Users are people within your organization and can be grouped.

Groups can only contain users not other groups.

Users don't have to belong to a group, and user can belong to multiple group.

Why groups and users?

Users or groups can be assigned a JSON document called policies which contains permission what a user/group are allowed to do.

IAM policy define the permissions of the users.

By default, a user are not allowed to do anything by default, you apply the least privilege principle: don't give more permissions than a user need to complete a task. For example if a user only need to work on a EC2 instance, then you only give permission to work on that EC2 instance, you don't give it more permission to say work on all of the EC2 instances.