As an AWS security best practice, it's best to have narrow-scoped IAM policies so that users are only authorized to perform actions on the resources they expect. This is even more important when you plan to authorize users to run some code in AWS services (for example, in a lambda function to access other resources). In this case, IAM provides a way to standardize the roles that authorized users can grant to AWS services: IAM PassRole

IAM is used to control permissions on AWS resources that can be applied to a group of users as well as to individual users. At the same time, IAM can also be combined with other authentication systems, such as Shibboleth, Microsoft ActiveDirectory. At the same time, you can also audit the access information (using AWS CloudTrail)

The role of Internet Gateway: let the resources in the public subnet connect to the Internet, and also let the Internet connect to the resources in the public subnet