Very similar to any normal account hierarchy such as Active Directory, IAM is a global service as well meaning you do not need to deploy in a specific region to use it. You have a root account created by default, you should avoid using this account and instead create specific user accounts following the rule of least privilege, a common rule in account creations where you assign permissions that are needed by the user and nothing more. You can assign users into groups. Users can be in more than one group or zero. You cannot put groups into other groups. You assign permissions to users or groups by assigning policies to them which are in a JSON format, I will go into more detail for creating these policies in a later post. As always feel free to reach out if you have any questions on this content, thank you!