AWS IAM is a hot mess. Even setting up an S3 bucket with an access key for uploading is a 15 step process, minimum, with a lot of opportunity to fuck up.

Maybe through the GUI, it's a single step with the CLI.

Please elaborate. How is this achieved in one step with the CLI?

https://github.com/salesforce/policy_sentry

(Disclaimer: I am the author)

Not one step exactly, but it is by far the easiest way to write least privilege IAM policies. Otherwise, it becomes impossible to ensure IAM policies are written securely and at scale. This way, all custom IAM policies are written with the exact same methodology.