Which statement BEST describes the difference between an IAM user and an IAM role?
A question about selecting the correct description of the difference between an IAM user and an IAM role.
IAM users are assigned to AWS services, and IAM roles are intended for human users only.
This is incorrect. The description is reversed. It is an IAM role that is assigned to AWS services (such as EC2) to grant temporary permissions.
The functions are swapped, so this is incorrect.
An IAM role is permanently tied to a single specific user when it is created.
An IAM role is not fixed to any specific individual. Instead, multiple people, applications, and AWS services that are permitted by the trust policy can assume the role as needed.
Permanently binding to one person is rather a characteristic of an IAM user, so this description of a role is incorrect.
IAM users operate with temporary credentials, and IAM roles hold long-term passwords.
This is incorrect. This reverses the characteristics of users and roles. It is IAM users that hold long-term passwords and access keys. When an IAM role is assumed, temporary credentials are issued.
The characteristics of the two are swapped, so this is incorrect.
An IAM user is a permanent identity tied to a person or application; an IAM role is a mechanism for obtaining temporary credentials.
Correct. An IAM user is a permanent identity tied to a specific user, with fixed credentials. An IAM role is not fixed to any specific person; people, applications, and AWS services assume the role (AssumeRole) as needed to obtain temporary credentials. Roles are well-suited for temporary and delegated permission grants.
User = permanent identity (fixed credentials) / Role = assume to obtain temporary credentials. Roles can be granted to people, applications, and AWS services; used for service-to-service integration and temporary permission grants. IAM itself is free.