There are three different identity entities in IAM that we will be taking a deeper look at in this chapter:

• Users: These are identifying objects that uniquely represent the person or service that is interacting with AWS. A user will always specify a username and then a credential that will be used with the username to authenticate the user. 
• Groups: These are collections of IAM users that allow for the grouping of users with identical requirements into an entity that can be easily managed as a single entity. Any permissions set to the group will be automatically inherited by all the users in the group. It is a best practice of AWS to apply permissions to groups and then move users in and out of groups when their permission requirements change.

• Roles: These are identifying objects that help AWS identify the service's or a person's permissions when using AWS services. Contrary to users, roles do not identify a unique person or service and can be assumed by multiple entities at the same time. Roles are a way to temporarily acquire certain permissions that are beyond the usual scope of the permissions assigned to the user or a service. For example, you can allow users to assume a role when needing elevated or administrative access, or you can use roles to give virtual machine instances access to other AWS resources, such as S3 or DynamoDB, without having to hardcode security credentials into the instance itself.