The most important security principles:
Principle of least privilege
This is frustrating to implement if you start at the very least instead of making it a goal.
Most “shift left” security linters will be blindly flagging your code for “IAM policy should avoid use of wildcards and instead apply the principle of least privilege”, whilst in practice this is the only way to proceed.
It’s a constant tradeoff of ignoring naive checks, and monitoring services like IAM Access Advisor.
Principle of defense in depth
Preventing human error, “Guardrails” & “Governance” fall under this wide ranging topic.
Here is a good analysis of the defences required to secure a production S3 bucket.
Vigilance is key and to complete the picture you must have organisation wide security event monitoring like AWS Cloudtrail in place.