For AWS integration with my commercial tool, I am considering having it inspect it's own permissions and loudly tell you it's misconfigured if you give it permissions to do anything more than what it minimally needs. I wish more tools did this.
There's an incredibly broad set of permissions (at the cloud or OS level). Any app / tool may be written to use any subset of those. And what it uses is rarely documented (because developers don't see IAM security as a primary feature, outside of apps intended for use in regulated environments).
Without automation, this thus requires continual reverse engineering, which is never a healthy, sane long-term solution.
This should be fixed on the product / app side, where folks are much better placed to dump "I need this, and only this" in machine-readable form.
