Correct. Web identity federation removes the need for creating individual IAM users. Instead, users can sign in to an identity provider and then obtain temporary security credentials from AWS Security Token Service (AWS STS).

Correct. Using IAM, you can create and manage AWS users, groups, roles, and use permissions to allow and deny their access to AWS resources.

Correct. AWS managed policies are designed to provide permissions for many common use cases. They are available and can be used in any AWS account.

Correct. AWS occasionally updates the permissions defined in an AWS managed policy. When AWS does this, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

Correct. You can attach AWS managed policies to multiple principal entities in your AWS account.

Correct. assume-role-with-web-identity returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.

Correct. AWS recommends Amazon Cognito to synchronize user data seamlessly across end users’ devices. Reference: Using Amazon Cognito to Sync Data (https://aws.amazon.com/blogs/mobile/using-amazon-cognito-to-sync-data/).

Correct. Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for.

Correct. With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP.