Comparing IAM Users and Groups

AWS Identity and Access Management (IAM) is the service that controls who can do what in your account. Two of its most basic building blocks are users and groups. A user is a permanent identity tied to a person or application, while a group is simply a container that bundles users together so they share the same permissions. Understanding the difference is the foundation for everything else on the exam.

An IAM user is a long-term identity with a name unique within your account. It can have two kinds of credentials:

• A console password for signing in through the web.
• Access keys (an access key ID and secret) for programmatic API and CLI calls.

Because these credentials are long-lived, AWS treats them as higher risk. Best practice is to prefer roles and temporary credentials over creating many users with permanent keys.