What is the difference between IAM roles and IAM users, and how do you implement the principle of least privilege in AWS for Apexon deployments?