Create a user group: Name, Users, Permission policies.
Create a user: Name, Permissions.
A specific permission policy can be created as well, under Policies.
Some comments:
Role-based access is available from IAM: authentication using PKI, by creating CA from within AWS and (probably) issuing certificates to devices which can be used to request for access.