Very wrong. An IAM group is not a principal. https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal More on reddit.com

Without having access to AWS CLI or any AWS account in general, where are the current list of internal out-of-the-box IAM roles documented? As an example: AccountReadOnly or AccountMonitor I'v... More on repost.aws

Great question and thinking - from a security perspective, we thank you for thing of IAM considerations first before using an overly permissive IAM Principal. I'll split this up into a couple categories: Overall: Does your organization have pre-existing AWS Access patterns or resources for you to follow? Every organization is different and I recommend following existing patterns or building on top of those. Do you have separate AWS Accounts for environments (Dev, Stage, Prod)? There are resources on Account separation as these provide logical boundaries. These accounts can all be part of the same Organization. For an enterprise, I'd typically recommend many accounts as this can provide security and also help with segmentation and reduce blast radius (example: someone manually accessing improper data or deleting resources). It sounds like you have multiple different access use cases with engineers, business users, ETL tools, reporting tools, vendors. This guide is useful: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPracticesAndUseCases.html I'd also outline the following for the use cases: Who is accessing (engineers, data scientists, application, etc)? How are they trying to access (manual, automated)? What do they need access to? Mechanism of Access into AWS: IAM Users are a quick way to start, but I'd recommend IAM Roles and using Identity Center (AWS SSO) when possible. For different IAM roles, I usually split these up by "application". So if one workflow is reading from postgres and writing to S3, that would be 1 Role with the applicable polices. Then the Glue job loading from Redshift would be a different role. Example: https://docs.aws.amazon.com/glue/latest/dg/create-an-iam-role.html . For vendors delivering files - you could use S3 for this (as an example to not give them an IAM principal in your accounts): S3 Presigned URLs S3 Bucket Policies for cross account access Environment Differences: My preference is a more open IAM principal in Development environments for easier troubleshooting, and a more constrained IAM Principal (role) in Stage and Production. If you're building an application and doing more automation in Stage and Production, I'd suggest sticking more to IAM Roles and not IAM Users. If you do need access for data engineers to manually run things in Production, I'd recommend using Identity Center (AWS SSO). Permission-wise, I'd recommend scoping down/testing in Development and using those scoped down roles in Stage and Production. That's just a start but some considerations for you to think about! More on reddit.com

In addition to the other comment (which you should read - protect the root account immediately), you should get your head around basic IAM policies and permissions before you do this for your application. Giving a user specific access policies becomes basically the same thing as doing it for a role, so start there because that tends to make more sense to folks that haven't touched roles yet. As for examples, there are plenty out there - anything on Lambda will typically require a couple different roles. Or you could create an EC2 and give it an instance profile (a role) and then watch it access stuff via the CLI. Once you do this once or twice you'll probably get that lightbulb moment. More on reddit.com