What is AWS IAM (Identity and Access Management)?

AWS IAM is a web service that controls access to AWS resources securely. It's global (not region-specific) and free to use. Core components: (1) Users: individual AWS accounts for people or applications — have long-term credentials (password, access keys); (2) Groups: collections of users with the same permissions — simplify management; (3) Roles: like users but assumed temporarily — for EC2 instances, Lambda functions, cross-account access, federated users. No long-term credentials — temporary security tokens via STS; (4) Policies: JSON documents defining permissions (Allow/Deny specific Actions on specific Resources under specific Conditions). AWS Managed Policies (predefined) vs Customer Managed Policies vs Inline Policies. Policy structure: {"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::my-bucket/*", "Condition": {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}}}]}. Principle of Least Privilege: grant only the permissions needed to perform a task. IAM Best practices: delete root account access keys; enable MFA for root and privileged users; use IAM roles for applications/services (not access keys); create individual users (not share credentials); rotate access keys regularly; use IAM Access Analyzer to identify overly permissive policies. Permission boundaries: limit maximum permissions a user or role can have. Service Control Policies (SCPs): organization-wide guardrails in AWS Organizations.