[zxcvbn4038]

Now I understand - you are talking about IAM users versus assumed roles, instance roles, and the like. Definitely a best practice to utilize those over IAM users but you never get away from IAM entirely, its the corner stone of all access control within AWS. Difference is that with assumed roles and similar you get short lived credentials that need to be renewed periodically (usually behind the scenes) whereas IAM user credentials exist until you remove them (though best practice is to rotate them periodically.) There are some instances where you can't get away from them easily - remote access to S3 buckets is a biggie, even though I can get assumed role credentials through my identity provider, I've yet to find an S3 client (besides the cli) that can utilize them. Access to SES for applications that need raw SMTP credentials from an IAM user. My CDN can make requests to S3 buckets with AWS v2 signatures, that needs IAM user credentials also (though the actual policy is limited to the buckets with public content and only getting known objects, no listing).