IAM – Identity and Access Management service allows you to control access to AWS Services and resources. It lets you manage identities and controls the permissions for users, groups, roles or organizations. It manages the IAM policies , authentication attributes like usernames, password, MFA , Access Keys and password policies.
When a new user is being created in IAM it does not have any permissions to any AWS resource. In other words, it has an implicit deny. We need to add an explicit allow for the required resources in order for user to access them. It should be noted that a Deny always overrides an Allow in the AWS world.