For a web application needing AWS service access, which AWS IAM entity is recommended for best security practices?