You have a service and give it a role that has some permissions. If you want to have the minimal permissions probably would at least end up with services*2 roles&policies if you write a custom policiy for every role, so the service can't do more than needed.
I mean, you could probably calculate one role and one policy for all the stuff that runs, to make it really simple, but I don't think this will make it secure.
But, yes, I don't like IAM either.
I read some people don't even use it anymore, but I didn't find out what they are doing instead.
It's just very detailed.
It also includes all the CI/CD services/roles they used.
28 boxes alone are permissions related.
The stuff that runs in the end (like a server would) are 3 Lambda functions and an S3 bucket.