When customers have dozens of apps and accounts, maintaining IAM policy governance requires extra effort.
A starting point could be that each team generates its AWS CloudFormation Templates (infrastructure as code) with the IAM policies you need to create, and have them reviewed, approved, documented in a repository (git/cvs), and created by the security team.
To give the development groups greater autonomy and reduce the operational burden of the security team, it is convenient that they can propose the creation of a new IAM policy according to their needs (respecting the rules of Least Privilege ), and have an AWS Lambda function from the security team to verify that reasonable access is being requested in the organization (for example, validating that it does not have … “Action”: “*” … o … “Resource”: “*” …).
Security can then manually or automatically approve the role depending on the environment or corporate policies, and have it created.
AWS CodePipeline allows not only the orchestration of the steps for a continuous cycle of an application, but it can also be used to build IAM policies in continuous mode.