IAM is Identity and Access Management. Tag-Based IAM is the access granted to users or roles based on tags provided within the condition element of a policy. IAM tags enable the ability to control what the principal is able to do based on the tags attached to that person’s identity, the IAM resource, or passed in the request. An IAM user or role can be both a principal and a resource because you can write a policy that allows a user to list the groups for a user, if the user making the request is the principal and is working on the same project as the user they are trying to review. An IAM role defines a set of permissions for making AWS service requests.
If you want to control access based on tags, then provide tag information in the condition element of the policy. IAM tags can control access to a user or role resource, IAM request, the principal, or any part of the authorization process.