As an AWS security best practice, it's best to have narrow-scoped IAM policies so that users are only authorized to perform actions on the resources they expect. This is even more important when you plan to authorize users to run some code in AWS services (for example, in a lambda function to access other resources). In this case, IAM provides a way to standardize the roles that authorized users can grant to AWS services: IAM PassRole