Service owners do need to admin into their cloud accounts, Permissions management in the cloud has historically been toil heavy due to the vast scope of permissions and large number of ever-changing services. By default, service owners should be given a minimal set of permissions (e.g. read-only permissions). They should be able to easily obtain permissions as needed; however, modifications to permissions should be automatically logged and audited to detect anomalous behaviour. - Excess permissions can be identified with historical usage data to recommend permissions changes.

When service teams own their accounts

IAM

Medium

AWS

Adam Cotenoff