Manage IAM users and their access—You can create users in IAM, assign them individual security credentials (such as access keys, passwords, and multi-factor authentication devices), or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions in order to control which operations a user can perform. IAM users can be:
- Privileged administrators who need console access to manage your AWS resources.
- End users who need access to content in AWS.
- Systems that need privileges to programmatically access your data in AWS.
General Use Cases for Creating IAM Users
- It is a security best practice to not use your root account because the root account grants access to all services and resources. Grant users the minimum amount of privilege necessary, which is known as least privilege.
- You have other people in your group who have varied access and authorization permissions. When you use IAM users, it is easier to assign policies to specific users that access specific services and associated resources.
- An IAM user can use the AWS CLI.
- An IAM user can use a role.
The following diagram describes the canonical use case for creating an IAM user:
A group is a collection of IAM users. Groups let you assign permissions to a collection of users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user's permissions, you can remove him or her from the old group and add him or her to the new group.