I collected a few thoughts on how to arrange IAM roles and policies in this blog post: