[aws][chore] Documentation for AWS Iam and SSO (#2181)

Author: aquamatthias

plugins/aws/docs/iam.puml

@@ -0,0 +1,40 @@
+@startuml
+
+class IAMEntity {
+  - id: string
+  - inlinePolicy: PolicyStatement[]
+}
+
+class User
+class Group
+class Role
+note bottom of Role
+  Role has a trust policy that defines what users,
+  groups or services can assume this role.
+  Can have a cross account trust.
+end note
+IAMEntity <|-- Group
+IAMEntity <|-- Role
+IAMEntity <|-- User
+Group *-- User
+
+class Policy {
+  - managedBy: AWS|Customer
+}
+class PolicyStatement {
+  - effect: Allow|Deny
+  - actions: string[]
+  - notActions: string[]
+  - resources: string[]
+  - conditions: string[]
+  - more...
+}
+class Resource {
+  - inlinePolicy: PolicyStatement[]
+}
+Policy -> PolicyStatement
+IAMEntity ->  Policy
+PolicyStatement ..> Resource
+
+
+@enduml

plugins/aws/docs/sso.puml

@@ -0,0 +1,58 @@
+@startuml
+
+hide empty members
+
+
+class User
+class Group
+class PermissionSet {
+  - inlinePolicy: PolicyStatement[]
+}
+
+Group o--> User
+User o--> PermissionSet
+Group o--> PermissionSet
+
+(Group, PermissionSet) .. Account
+Account .. (User, PermissionSet)
+
+package AwsAccount {
+class Role
+PermissionSet .> Role
+}
+
+note bottom of AwsAccount.Role
+The Permissions of the PermissionSet is
+replicated as Role into every Account.
+end note
+
+class PolicyStatement {
+  - effect: Allow|Deny
+  - actions: string[]
+  - notActions: string[]
+  - resources: string[]
+  - conditions: string[]
+}
+PermissionSet o--> PolicyStatement
+
+note bottom of PermissionSet
+The same PermissionSet can be assigned to multiple
+Users and Groups in multiple accounts.
+end note
+note right of User
+Has nothing to do with Iam User.
+end note
+note right of Group
+Has nothing to do with Iam Group.
+end note
+
+
+
+note top of Group
+AWS SSO User AWS IAM Identity Center (SSO)
+is usually available in one account in the organization
+and one region.
+
+It is allowed to have more than one SSO instance in individual accounts.
+end note
+@enduml