- arn:partition:service:region:account-id:resource-id
- arn:partition:service:region:account-id:resource-type/resource-id
- arn:partition:service:region:account-id:resource-type:resource-id
- SAML2 send SAML assertion to AWS Assertion Consumer Service to get the
- SSO across all enterprise systems including AWS
- Potentially tens or hundreds of thousands of staff/users - more than IAM can handle(5000)
- Application require to access to AWS resources
- Don't manage credentials within the application
- Support other credentials with Cognito - Google, Twitter, Facebook, etc
- Tens of hundreds of AWS account in an organization
- Role switching used from an ID account into member accounts.