###### IAM
- allow all access to all resource
```
{
"Version":"2012-10-18",
"Statement":[
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
]
}
```
- universal, not apply to regions
- root account has complete admin access
- new users have no permissions
- new users are assigned access key id & secert access keys to access aws via api / command line