[coredog64]

There is similar issue with AWS. AWS provides a "ReadOnlyAccess" managed policy that has additional privileges that you probably don't want folks to have (e.g. can read S3 bucket content, not just see bucket names/key names). They recognized this and created a more limited "ViewOnlyAccess" that doesn't have access to content.

There's another common fix, which is to apply a permission boundary to IAM roles. This allows the use of generic policies like "ReadOnlyAccess" but can then be further downscoped to resources by tag (or other similar ABAC schemes)

[belter]

You should not be using any of their managed policies, but creating your own. Using their own managed policies is a strong misunderstanding of how to use IAM.

[belter]

Downvoting without discussion? That’s not critique, that’s cowardice. Tell me what is wrong about this factual statement.