# IAM

## IAM (Identity & Access Management)

Where you manage who has access to your AWS account and what resources they can use.

Manages

* Users
* Groups
* Roles
* IAM access policies

User may be a member of up to 10 groups.

**Best practice** is to assign policies to the group and add/delete users to groups.

It is not possible to assign a policy to the Service (e.g. EC2). In this case in order to grant EC2 access to e.g. S3 => **assign a role** to EC2. And role will have a policy to access S3.