1.organisation

Every organisation has one root account. Root account can add existed accounts or new-created accounts to current organisation, which belong to different OUs.You can treat OUs as many groups of one single organisation. It aims to help the root account administer accounts as a unit.

Every account is related to one email and a alias to mark itself as a uniqe account.

organisation accounts

2.Identity and Access Management (IAM) user,group,policy,role

IAM is used to manage users for daily work. In order to authorize IAM users for different accesibility of resources.

We can firstly create a few customized IAM roles and attach a few existed policies managed by AWS to these roles.

Attach AmazonEC2FullAccess to EC2Admin created by myself.

Then we can create a few customized policies and attach the roles we created by ourselves to the policy. A policy defines the AWS permissions that you can assign to a user, group, or role.

The policy created by me.

Then we can assign the policy to a IAM group so that we can assign the policy to all the users of this group instead of the user one by one.

I assign the policy "AllowEC2admin" to group "Developers".

Then the IAM users in this group can choose to switch their roles after they log in.

Service-Linked Role: This role can only be assumed by AWS when a AWS service A want to call another AWS service B on your behalf. So the IAM user of serviceA must has the permission to create this role that is linked with service B. For example, there is a user U who is being assumed with EC2FullAccessRole want to create a AWS Load Balance Service to distribute requests to some EC2 instances, then the user must have a service-linked role that is linked with this load balance service. Because the EC2FullAccessRole has the authorization to create ElasticLoadBalance linked role, so this role can be created automatically by AWS.

 After you create the load balance, you will find the LoadBalance linked role was created.

There maybe an ambiguity about what difference between IAM users and accounts is. I think every account is attached with a unique email and alias which will be used to login or allocate authorisation or manage billing. The account should not be used to interact directly with the AWS resources.

but IAM user is used for explicit workload. AWS will not create account for the user. It can login just by console credentials.