You work with AWS long enough, you begin to realize that there is no "right" way of doing it. The piece of advice that I think works well is: don't use users. I mean, sometimes you need it to get external services access to your account, but for humans, SSO + Roles is better. The big issue with Users is that you're accepting a broader attack surface where you're relying on humans to rotate passwords, rotate credentials, you're relying on administrators to create accounts when people join, disable accounts when people leave, its just a lot more management. When you switch to SSO, you need to use Roles, but it ends up being rather nice because you can grant one SSO subject access to multiple roles across multiple accounts within your AWS Org. More on reddit.com

I'm a little confused probably because I was expecting that each AWS account holder is able to make their own personal IAM account and then I would… More on reddit.com

Best resources? The official docs https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html More on reddit.com

Great question and thinking - from a security perspective, we thank you for thing of IAM considerations first before using an overly permissive IAM Principal. I'll split this up into a couple categories: Overall: Does your organization have pre-existing AWS Access patterns or resources for you to follow? Every organization is different and I recommend following existing patterns or building on top of those. Do you have separate AWS Accounts for environments (Dev, Stage, Prod)? There are resources on Account separation as these provide logical boundaries. These accounts can all be part of the same Organization. For an enterprise, I'd typically recommend many accounts as this can provide security and also help with segmentation and reduce blast radius (example: someone manually accessing improper data or deleting resources). It sounds like you have multiple different access use cases with engineers, business users, ETL tools, reporting tools, vendors. This guide is useful: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPracticesAndUseCases.html I'd also outline the following for the use cases: Who is accessing (engineers, data scientists, application, etc)? How are they trying to access (manual, automated)? What do they need access to? Mechanism of Access into AWS: IAM Users are a quick way to start, but I'd recommend IAM Roles and using Identity Center (AWS SSO) when possible. For different IAM roles, I usually split these up by "application". So if one workflow is reading from postgres and writing to S3, that would be 1 Role with the applicable polices. Then the Glue job loading from Redshift would be a different role. Example: https://docs.aws.amazon.com/glue/latest/dg/create-an-iam-role.html . For vendors delivering files - you could use S3 for this (as an example to not give them an IAM principal in your accounts): S3 Presigned URLs S3 Bucket Policies for cross account access Environment Differences: My preference is a more open IAM principal in Development environments for easier troubleshooting, and a more constrained IAM Principal (role) in Stage and Production. If you're building an application and doing more automation in Stage and Production, I'd suggest sticking more to IAM Roles and not IAM Users. If you do need access for data engineers to manually run things in Production, I'd recommend using Identity Center (AWS SSO). Permission-wise, I'd recommend scoping down/testing in Development and using those scoped down roles in Stage and Production. That's just a start but some considerations for you to think about! More on reddit.com