Understanding IAM

What is IAM:
IAM is a web service that enables you to securely manage and access AWS services. It helps you to control who is authenticated and authorized to use the services. It is integrated well with every other AWS service.

IAM service usage is FREE!

Let us take an example of an organization that has different departments such as the software department, legal department, finance department, travel, etc. Each department has persons working for them with specific duties or roles. For example, the software development department will have software professionals, the legal department will have lawyers and the finance department will have finance-related experts, etc.
In this organization software professionals will have access to codebases and servers but are unlikely to access legal documents and financial documents.
Integrated access management(IAM) is done by creating a specific role i.e. certain type of access is given to the individuals who have a certain role.

Features of IAM:

• IAM helps to securely manage AWS services and resources.
• It allows us to create principals such as users, groups, and roles to have secure access to the resources.
• IAM allows us to define policies in which we allow /deny access to the resources.
• It supports identity federation for dedicated access to the AWS management console of AWS APIs.
• It provides multi-factor authentication.
• It provides a policy simulator.

IAM Identities:
An IAM Identity provides access to an AWS account, represents a user, and can be authenticated to perform actions in AWS. Policies determine what actions a user, role, or member of a user group can perform on which AWS resources and under what conditions.
A user group is similar to a user, it is an identity with permission policies that determine what the identity can and cannot do in AWS, but a role does not have any credentials(password or access keys) associated with it.

IAM Users:
An IAM user is an entity that you create in AWS and represents the person or service that interacts with AWS. The main purpose for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI.
A user consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI.
When created, an IAM user is granted permission through membership in a user group that has appropriate permission policies attached(recommended) or by directly attaching policies to the user.

IAM Groups:
A group is a collection of users, user groups specify permissions for a collection of users, making those permissions easier to manage for the users.
A user group cannot be identified as a Principal, a person, or an application that can request an action or operation on an AWS resource in a resource-based p