What it is: An identity for a person or an application that needs direct AWS access.

What it’s for:

• Console login (username/password).
• Programmatic access via access key (only when necessary).

Key ideas:

• Users can have:
  • Console password
  • Access keys (API access)
• Best practice: use SSO/roles where possible; avoid long-lived keys.
• Protect users with MFA.

Exam cues:

• “developer needs AWS console access” → IAM User (plus MFA).
• “rotate keys regularly” → access keys can be rotated.

Hard words:

• *programmatic* /ˌproʊɡrəˈmætɪk/: qua code/API
• *credentials* /krəˈdɛnʃəlz/: thông tin đăng nhập (user/pass/key)
• *rotate* /roʊˈteɪt/: xoay vòng (đổi định kỳ)

Related pages:

• IAM Group
• IAM Policy