Add diagrams for WAF IAM (#1060)

Add diagrams to new IAM section

Author: jonathanfrappier

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/centralize-identity-management.mdx

@@ -25,6 +25,9 @@ integrate the identity provider with other systems and authorize access for thos
 users. Each user has a single username and password, but can access the systems
 required to perform their job.
 
+![Diagram showing concept of centralized identity and access management.](/img/well-architected-framework/diagram-iam-centralized.png#light-theme-only)
+![Diagram showing concept of centralized identity and access management.](/img/well-architected-framework/diagram-iam-centralized-dark.png#dark-theme-only)
+
 Having individual user accounts on multiple platforms is similar to having a
 local user on your laptop. You can log in to the laptop with the local user, but
 that username and password do not provide access to your email or other systems.

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/create-permissions-guardrails.mdx

@@ -28,6 +28,15 @@ role, group membership, the resources they access, and the context of the access
 request. For example, a user may have permission to read data from a database
 but not to write data to it.
 
+Defining guardrails allows you to enforce policies at different levels of the
+organization, preventing you from granting excessive permissions to
+a user or system. This diagram shows an example of restricting permissions at
+various levels. The effective permissions for a user is a combination of
+permissions granted at the user, group, and organizational levels.
+
+![Diagram showing guardrails at various levels within an organization.](/img/well-architected-framework/diagram-iam-guardrails.png#light-theme-only)
+![Diagram showing guardrails at various levels within an organization.](/img/well-architected-framework/diagram-iam-guardrails-dark.png#dark-theme-only)
+
 The following is an example of a database permission and AWS S3 bucket policy
 that follows least privilege:
 

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/define-access-requirements.mdx

@@ -25,6 +25,9 @@ several sources, including:
 - Current best operational practices that define security controls (SOC 2, NIST,
   ISO 27001).
 
+  ![Diagram showing sources of access requirements including industry regulations, regulatory standards, and best practices.](/img/well-architected-framework/diagram-iam-define-acccess.png#light-theme-only)
+  ![Diagram showing sources of access requirements including industry regulations, regulatory standards, and best practices.](/img/well-architected-framework/diagram-iam-define-acccess-dark.png#dark-theme-only)
+  
 When you understand which regulations and standards apply to your organization, you can
 begin to identify the specific access requirements that you need to implement
 for your systems and teams.

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/grant-least-privilege.mdx

@@ -15,7 +15,7 @@ you can use that information to write identity and access management (IAM) polic
 ## What is least privilege
 
 Least privilege means that users, applications, and systems have the minimum
-permissions necessary to perform their required tasks. Following the princple of
+permissions necessary to perform their required tasks. Following the principle of
 least privilege reduces the risk of unauthorized access or actions that can
 compromise the security of your systems and [secure
 data](/well-architected-framework/secure-systems/data/classify-data).
@@ -65,6 +65,14 @@ HashiCorp tools and services like [Vault](/vault/tutorials/get-started) and
 privilege access controls, while Terraform helps you manage the policies for
 Vault and Boundary.
 
+In this example, you write a policy that only permits access to the path for a
+a specifidc KV secrets engine. Because Vault policies follow least privilege by default, the
+authenticated user does not have access to other paths not defined in the
+policy.
+
+![Diagram showing HashiCorp Vault using a policy to enforce least privilege access controls.](/img/well-architected-framework/diagram-iam-least-priv-vault.png#light-theme-only)
+![Diagram showing HashiCorp Vault using a policy to enforce least privilege access controls.](/img/well-architected-framework/diagram-iam-least-priv-vault-dark.png#dark-theme-only)
+
 With Vault and Boundary, you can provision dynamic credentials allowing users to
 remotely access systems without managing long-lived credentials. When the
 session is complete, Vault revokes the credentials, reducing the risk of

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/manage-access-lifecycle.mdx

@@ -51,6 +51,9 @@ the following key activities:
 - Account deprovisioning and removal
 - Access reviews and audits
 
+![Diagram showing the account management lifecycle.](/img/well-architected-framework/diagram-iam-lifecycle.png#light-theme-only)
+![Diagram showing the account management lifecycle.](/img/well-architected-framework/diagram-iam-lifecycle-dark.png#dark-theme-only)
+
 Following these practices helps you properly manage accounts and ensure
 your users and services that require access to a system have access.