CLIENT and RESOURCE are two different abstractions within the boto3 SDK for making AWS service requests. If you want to make API calls to an AWS service with boto3, then you do so via a Client or a Resource.

You would typically choose to use either the Client abstraction or the Resource abstraction, but an application can use both, as needed. I've outlined the differences between Client and Resource below to help readers decide which to use.

Client:

    - low-level service access
    - generated from service description
    - their definitions are generated by a JSON service description present in the botocore library
    - All AWS service operations supported by clients

Resource:

    - this is the newer boto3 API abstraction
    - it provides high-level, object-oriented API
    - it does not provide 100% API coverage of AWS services
    - it uses identifiers and attributes
    - it has actions (operations on resources)
    - it exposes sub-resources and collections of AWS resources
    - it is generated from an AWS resource description

In [1]:
import boto3
iam = boto3.resource('iam')
client = boto3.client('iam')

## ACCOUNT PASSWORD POLICY
### 1. COMPLETE SYNTAX & 2. SHORT SYNTAX

In [128]:
account_password_policy = iam.AccountPasswordPolicy()
response = account_password_policy.update(
    MinimumPasswordLength=8,
    RequireSymbols=True,
    RequireNumbers=True,
    RequireUppercaseCharacters=True,
    RequireLowercaseCharacters=True,
    AllowUsersToChangePassword=True,
    PasswordReusePrevention=1,
    HardExpiry=True
)

## >>>> DEFINE A USER NAME <<<<
- `One user` represents `one person` in your organization
- Users don't have to belong to a group
- One user can belong to multiple groups

In [106]:
user = iam.User('j_doe')

## CREATE A USER
### 1. COMPLETE

In [None]:
user = user.create(
    Path='string',
    PermissionsBoundary='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

### 2. SHORT

In [107]:
user = user.create()

## GENERATE ACCES KEY AND SECRET ACCESS KEY TO A USER
### 1. COMPLETE & 2. SHORT

In [119]:
response = client.create_access_key(
    UserName='j_doe'
)

## CREATE A GROUP
- Users can be grouped
- Groups can only contain users, not other groups

### 1. COMPLETE

In [None]:
response = client.create_group(
    Path='string',
    GroupName='string'
)

### 2. SHORT

In [116]:
response = client.create_group(
    GroupName='finance'
)

## ADD A USER TO A GROUP
### 1. COMPLETE & 2. SHORT

In [117]:
response = client.add_user_to_group(
    GroupName='finance',
    UserName='j_doe'
)

## ADD A POLICY TO A GROUP
- When you create an IAM user, by default, it has no permissions
- You have to explicitly give the user permission to do anything in that account
- The way that you grant or deny permission is to associate what is called an IAM policy to an IAM user
- You can attach a policy to a group and all of the users in that group will have those permissions

### 1. COMPLETE & 2. SHORT

In [118]:
response = client.attach_group_policy(
    GroupName='finance',
    PolicyArn='arn:aws:iam::aws:policy/AWSMobileHub_ReadOnly'
)

## DELETE A USER
### 1. COMPLETE & 2. SHORT

Deletes the specified IAM user. Unlike the Amazon Web Services Management Console, BEFORE you delete a user programmatically, you MUST delete the items attached to the user manually, or the deletion fails.
#### A. DELETE ACCESS KEY OF A USER

In [124]:
response = client.delete_access_key(
    UserName='j_doe',
    AccessKeyId='AKIAVNM3THUQSMN4OSPM'
)

#### B. REMOVE A USER FROM A GROUP

In [125]:
response = client.remove_user_from_group(
    GroupName='finance',
    UserName='j_doe'
)

#### C. DELETE A USER

In [126]:
response = client.delete_user(
    UserName='j_doe'
)

##  ROLES
- Roles have associated permissions that allow or deny specific actions
- These roles can be assumed for `temporary amounts of time` 
- You use roles to temporarily grant access to AWS resources, to users, external identities, applications, and even other AWS services
- When someone assumes an IAM role, they abandon all previous permissions that they had under a previous role and assume the permissions of the new role
- IAM roles are ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term.