IAM is a global service, so it doesn't require region. Physically means users, groups, roles it will be used very first time it must be created with proper permissions IAM is at the center of AWS Policies are written in JSON Users -> Usually a physical person Groups -> functions(admins, devops), teams(engineering, design), contains users Roles -> internal usage within AWS resourses IAM has a glo..