With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests toAWS, such as DynamoDB or S3 calls. Here it is recommended that the user should not create an IAMuser and pass the user's credentials to the application or embed those credentials inside theapplication. Instead, the user should use roles for EC2 and give that role access to DynamoDB /S3. When the roles are attached to EC2, it will give temporary security credentials to the applicationhosted on that EC2, to connect with DynamoDB / S3. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html