I. Introduction

1. IAM is the center of AWS.

2. Root account should never be used or shared.

3. "Users" and "Groups" are for people, "Roles" are for machines.

4. "Permissions" are governed by "Policies" which are in JSON format.

5. An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

   1. Groups are collections of users and have policies attached to them
   2. A group is not an identity and cannot be identified as a principal in an IAM policy
   3. Use groups to assign permissions to users
   4. IAM groups cannot be used to group EC2 instances
   5. Groups cannot belong to other groups i.e. no nesting!
   6. CANNOT add role to a group
   7. Only users and services can assume a role to take on permissions (NOT groups)

6. IAM comes with managed policies.

7. It's best to give users least amount of permissions they need to perform their job.

8. IAM Federation - Big enterprises have their own repo of users that can be integrated with IAM. This way, one can login into AWS using their company credentials (SAML).

9. One IAM user per physical person.

10. One IAM role per application.

11. IAM roles cannot make direct requests to AWS services; they are meant to be assumed by authorized entities, such as IAM users, applications, or AWS services such as EC2. Use IAM roles to delegate access within or between AWS accounts.

12. IAM credentials should never be shared.

13. Never use root account except for initial setup.

14. Always create an IAM user when setting up AWS!

II. STS

1. Allows to grant limited and temporary access to AWS resources.