We know how users are (generally) authenticated, but how do we know what it is they're allowed to do once they've been authenticated? Can they just do whatever they like within a system, or do we limit what they can do to specific tasks?
You'll note my spelling of authorisation - with an "s". You'll see it spelt "authorization" too, with a "z". This is simply the difference between British and American English.
Authorisation solves this problem. As a concept it can be simple to explain, but in reality it's a very hard problem to solve.
When we eventually reach the chapter on AWS, you'll see mention of "AWS IAM". IAM means "Identity and Access Management", or in other words: authentication and authorisation.