The point i'm trying to make is if the scope of what a system can do is limited, it's permission boundary/model is easy to define.

Many things led to the incorrect provisioning of the IAM role. Lake of understanding of IAM for starters as well as consequences around it.

By no means am I saying microservices would solve the problem. But it sure does make it easier to define what permissions your app needs to have as well as limit the blast radius of what is exposed when done correctly.

This is impossible with monoliths on EC2 instances.