IAM is AWS's global authentication and authorization service. Everything is deny by default; policies are JSON documents evaluated in one fixed order: explicit deny → allow → implicit deny. Users are people, roles are hats anyone (or any service) can wear temporarily, and STS is the machine that mints those temporary credentials.
Today you also install the two guardrails the rest of the plan depends on: a budget alarm so a forgotten resource can't quietly bill you, and an admin identity so the root user goes in a drawer and stays there.