IAM is the AWS service that helps us manage the identity of users within AWS in order to verify their identity (authentication) and their permissions to AWS services (authorization). 

IAM has four core concepts:

• Users: A user can be created in IAM and given the necessary permissions to access AWS resources.
• Groups: Users can be added to groups. Permissions can now be given to groups instead of individual users. This is a recommended best practice.
• Policies: Policies are JSON documents that define the permissions for users or groups.
• Roles: Roles are generally used for giving users temporary permissions to access an AWS service. For example, we can attach a role with S3 permissions to an EC2 service.

The IAM dashboard provides a set of checklist items to keep our account secure. It is good practice to keep them all green. The first checklist item checks whether we have active access keys for our root account that can be used for programmatic access. The root account is the account that we log into using the primary email and has access to everything in our account. It is good practice to use root for creating other accounts and then use those accounts for our day-to-day activities. 

The next checklist item checks whether we have enabled MFA for our root account. MFA will enforce an additional level of authentication, apart from the username and password, using tokens from a virtual or hardware MFA device. The next two checklist items make sure that we create at least one user and a group. The last checklist item is for setting a password rotation policy for our account.

Finally, we also set up a billing alarm. Though not part of the IAM checklist, it is good practice to set a billing alarm. This will trigger an alarm and let us know when we exceed the set limit.