I agree. The role that Nucleus asks you to create does not ask for the AdministratorAccess policy. Instead, it calls out the specific product areas that it accesses. We also have a description of each one and why we need it in our docs. https://docs.nucleuscloud.com/home/concepts/permissions-over...
However, we can definitely be more detailed and call out specific actions that we need in those areas. That still leaves us with IAM though. I think we can still do better here to further limit IAM, but as of right now we can still do a lot if we have full access to the IAM featureset. It's something we're working on improving, but for now, I always suggest folks turn on auditing in their AWS accounts to keep ontop of anything that is happening.
However, we can definitely be more detailed and call out specific actions that we need in those areas. That still leaves us with IAM though. I think we can still do better here to further limit IAM, but as of right now we can still do a lot if we have full access to the IAM featureset. It's something we're working on improving, but for now, I always suggest folks turn on auditing in their AWS accounts to keep ontop of anything that is happening.