I think this gets at my ick with IAM. If AWS knows it needs “s3:ListBuckets” for a call to function, why doesn’t giving permissions on that call just imply that I gave it the “s3:ListBuckets” permission too?
For enterprises that genuinely want the finer grained control, let them express that they want to opt out of that implicitness in the policy document.
For enterprises that genuinely want the finer grained control, let them express that they want to opt out of that implicitness in the policy document.