It’s long been considered “best practice” to avoid having IAM users in AWS. Where possible IAM roles are preferable as role session credentials are short-lived. As far as I can tell, the only justification for AWS IAM users that I hear nowadays is for usage on non-interactive systems outside of AWS (so AWS SSO won’t work), e.g. a Raspberry Pi in your closet.
Specifically, it uses the “card authentication” slot on a Yubikey to store a TLS
certificate and private key. This slot can be used to sign requests without a PIN
or touch - perfect for the Raspberry Pi use case. By making a
app for it, it works with any AWS SDK or AWS CLI from the last few years.
This could also be made to work with TPMs for deployments where having a removeable Yubikey is undesirable.
I’d love to hear from you if you can think of any remaining reasons why IAM users are still necessary.