Document IAM authorization with audit, ignore, and enforce modes

Update IAM section in services.html with three authorization modes
(disabled, audit, enforce), identity policies, permissions boundaries,
and resource policies. Add lws iam-auth command card to cli.html with
status, enable, disable, set, and set-identity subcommands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: eamonnfaherty

cli.html

@@ -344,6 +344,32 @@ <h4>lws chaos</h4>
 # Disable
 uvx --from local-web-services lws chaos disable dynamodb</code></div>
         </div>
+
+        <div class="lws-command">
+          <h4>lws iam-auth</h4>
+          <p>IAM authorization management. Audit, ignore, or enforce IAM permissions on local AWS services.</p>
+          <div>
+            <span class="subcmd">status</span>
+            <span class="subcmd">enable</span>
+            <span class="subcmd">disable</span>
+            <span class="subcmd">set</span>
+            <span class="subcmd">set-identity</span>
+          </div>
+          <div class="code-block" style="margin-top: 12px;"><code># Check IAM auth status
+uvx --from local-web-services lws iam-auth status
+
+# Enforce IAM on DynamoDB (deny unauthorized requests)
+uvx --from local-web-services lws iam-auth set dynamodb --mode enforce
+
+# Audit mode (log violations without blocking)
+uvx --from local-web-services lws iam-auth set s3 --mode audit
+
+# Switch active identity
+uvx --from local-web-services lws iam-auth set-identity readonly-user
+
+# Disable IAM auth for a service
+uvx --from local-web-services lws iam-auth disable sqs</code></div>
+        </div>
       </div>
     </div>
   </section>

services.html

@@ -537,7 +537,7 @@ <h4>CDK Constructs</h4>
         </div>
       </div>
 
-      <h3 class="service-category">Identity</h3>
+      <h3 class="service-category">Identity &amp; Authorization</h3>
 
       <div class="services-list">
         <div class="service-detail" id="iam-sts">
@@ -564,7 +564,15 @@ <h4>STS Operations</h4>
               <span class="op">AssumeRole</span>
             </div>
           </div>
-          <p class="service-note">Stub APIs that return AWS-compatible responses for Terraform compatibility. IAM role and policy operations are accepted and stored in memory. STS returns dummy credentials and caller identity. These stubs allow <code>terraform apply</code> to succeed without a real AWS account.</p>
+          <div class="service-detail-section">
+            <h4>IAM Authorization Modes</h4>
+            <div class="service-detail-ops">
+              <span class="op">Disabled</span>
+              <span class="op">Audit</span>
+              <span class="op">Enforce</span>
+            </div>
+          </div>
+          <p class="service-note">IAM role and policy operations are accepted and stored in memory. STS returns credentials and caller identity for Terraform compatibility. <strong>IAM authorization</strong> can be configured in three modes: <strong>disabled</strong> (default &mdash; all requests pass through), <strong>audit</strong> (requests pass through but violations are logged as warnings), or <strong>enforce</strong> (requests that fail IAM checks are denied with HTTP 403). Supports identity-based policies, permissions boundaries, resource policies, wildcard matching, and per-request identity override via HTTP header. Authorization applies to DynamoDB, S3, SQS, SNS, EventBridge, Step Functions, Cognito, SSM, and Secrets Manager.</p>
         </div>
       </div>