https://aws.amazon.com/cn/iam/faqs/
IAM授权 Policies and Permissions
https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/access_policies.html
If you have to manage user identities outside of AWS, you can use IAM identity provider without having to create IAM users in AWS account. Use Identity Provider (IdP), you can manage user identities outside of AWS, and grant permission to use the AWS resources in your account of these external user. If your organization has its own identity system (such as a corporate user directory), which will be very useful. If you want to create a mobile application or a Web application requires access to AWS resources, which is also very useful.
When using IAM identity provider, you do not need to create custom code or login to manage their own user identities. IdP will provide you with them. Your external users to log in through a known IdP (eg Login with Amazon, Facebook or Google). You can grant permission to use these external identity AWS resources in your account. IAM identity provider can help you secure AWS account, because you do not assign or embedded in long-term security credentials (such as access key) in the application.
To IdP, create IAM identity provider entity to establish a trust relationship between your AWS account with the IdP. IAM support OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0) compatible IdP. For more information about one of these IdP use by AWS, please see the following:
To use an IdP, you create an IAM identity provider entity to establish a trust relationship between your AWS account and the IdP. IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). For more information about using one of these IdPs with AWS, see the following sections: