Hmm, we’re not using iam Roles and will not for a while.
Instead our Application accesses S3, Cloudfront and RDS via AccessKey.
My question is, for a multi stage environment (dev, staging, prod, etc)
Is it better to attach the policy to a group and create a user for said group
E.g a BackendStagingGroup and a BackendApplicationUser
Or is a user + policy sufficient without the group?