1
Q
What is the difference between IAM users and roles?
A
Roles are assigned to resources; users are people or on-premises servers
2
Q
Do IAM permissions span regions?
A
Yes, it is a global service
3
Q
Can Customer Managed Policies be shared across accounts?
A
No
4
Q
What are the key STS API calls?
A
AssumeRole - get credentials for a role which may have more access than your own
GetSessionToken - get credentials for your current IAM role, i.e. if you’re moving into a lower-security environment
GetFederationToken - used for proxies which provide credentials for on-premises systems
