1. IAM User

An IAM user is a single person. AWS users consist of a name, password, and a pair of unique API access keys that grant them permissions according to policy condition criteria established by an administrator.

2. AWS Groups

An AWS group is simply a collection of multiple users. When changes are made to the permissions of the group, the changes affect each individual user within that group. Policies can be attached directly to groups, so there is no need to assign permissions on an individual basis if they are applicable to the entire group. Moving users between groups can attach appropriate permissions when necessary, instead of editing permissions for a single user.

3. Role

The roles particularly useful when assigning permissions to new users or changing permissions to users who have shifted jobs within their organization.

Example of an AWS IAM Role : An organization undergoes major expansion to undertake a new project: new employees are coming in, and current employees are shifting positions laterally within the organization. The current employees no longer need access to some of their old permissions but need access to new permissions. Additionally, the new employees need access to a wide variety of permissions to do their jobs. In order to accommodate this rapid new growth, IT administrators need a way to quickly and easily control access to their cloud resources while keeping their infrastructure secure.

Benefits of IAM Roles:
1. Static credentials are not required
2. Ability to grant permissions to third-parties without the need of a dedicated IAM user
3. Granular permissions for a specific use case 4. Policies

Policies are JSON documents and define what Users, groups, and Roles can do within AWS.

Policies are attached to the User or Group or Role

Option 1

1. User account
2. Set Permission policies
3. Attach the policy to user

Option 2

1. User account
2. Create group
2. Set Permission policies
3. Attach the policy to group
4. add the user to the group

Option 3

1. User account
2. Create role
2. Set Permission policies
3. Attach the policy to role
4. add the ARN of role to the user

1. User account

once you have created the new user, you can login to the aws console with new user. But there will be permission issue.

2. Set Permissions

1. Create Permission

1. Go to policy section

2. Create new policy

2. Attach the permission to the user

1. Select the user

2. Attach the policy we created

2. IAM Role Option

1. create role

2. attach policies to the role

3. attach the role to the user

                    {
                        "Version": "2012-10-17",
                        "Statement": {
                        "Effect": "Allow",
                        "Action": "sts:AssumeRole",
                        "Resource": "arn:aws:iam::<aws_account_id>:role/workdocs_app_role"
                        }
                        }

                        

ARN number is getting from the role's details page