IAM Best Practices
Never use the root account for any other purpose other than setting up other less privileged AWS accounts
One AWS user is the same as one physical user
Users can be assigned to groups and then permissions can then be assigned to those groups
Always enforce a strong password policy
Wherever possible, use Multi-Factor-Authentication
Whenever an AWS Service requires permissions to run as a user then create and assign the service a Role
When leveraging the CLI or SDK (Or another programmatic access) generate Access Keys for the application
Use the IAM Security Tools available within AWS such as IAM Access Advisor to audit user permissions on a regular basis
Never share IAM users and access keys – Each user should have their own Access Key