EmrEltRunner pemrissions

Hello Everyone,

I was reading the IAM setup docs on github and feel that access permissions for EmrEltRunner are quite excessive in the docs. Although it is mentioned that

Note that there should be opportunities to lock these permissions down further

There are no PoLP guidelines to understand what are the least priviliges required for etlRunner.

Is there anyone here who deployed snowplow with PoLP?

Furthermore , is it possible to deploy EmrEtlRunner in different account than where RS and Snowplow live? Is this kind of setup recommended ?

Best,
shashi