The basic service that AWS uses for user authentication for centralized control, shared access, granular service permissions, Identity Federation, Multifactor authentication, providing temporary access, and password policies are IAM.
There are specific units within IAM that work together to provide all the features within IAM.
The users are as implied the end users for the AWS service. The first end user is the root user. The root user is provided with complete admin access. All other users after the root user are by default set with no permissions, access key ID, and secret access. The access key ID and secret access are viewable only once upon creation and are used to access AWS resources/services programmatically. They do not provide console access. The standard ID and password provide console access and are separate from the access key and secret access. best practices dictate that the root account should always be set up with multi-factor authentication.
The group is a set of users that can inherent permissions given to the group. A role is a set of policies used to giver access to services within AWS. Typically this is EC2 services. Policies are JSON formatted documents that use the key-pair values to define permissions for users, groups, and roles.