====== IAM User ======

**What it is:** An identity for a **person** or an application that needs direct AWS access.

**What it’s for:**
  * Console login (username/password).
  * Programmatic access via access key (only when necessary).

**Key ideas:**
  * Users can have:
    * **Console password**
    * **Access keys** (API access)
  * Best practice: use SSO/roles where possible; avoid long-lived keys.
  * Protect users with [[aws:security:mfa|MFA]].

**Exam cues:**
  * “developer needs AWS console access” → IAM User (plus MFA).
  * “rotate keys regularly” → access keys can be rotated.

**Hard words:**
  * *programmatic* /ˌproʊɡrəˈmætɪk/: qua code/API
  * *credentials* /krəˈdɛnʃəlz/: thông tin đăng nhập (user/pass/key)
  * *rotate* /roʊˈteɪt/: xoay vòng (đổi định kỳ)

**Related pages:**
  * [[aws:security:iam:group|IAM Group]]
  * [[aws:security:iam:policy|IAM Policy]]
  * [[aws:security:iam:root-user|Root User]]