I was reading the IAM setup docs on github and feel that access permissions for EmrEltRunner are quite excessive in the docs. Although it is mentioned that
Note that there should be opportunities to lock these permissions down further
There are no PoLP guidelines to understand what are the least priviliges required for etlRunner.
Is there anyone here who deployed snowplow with PoLP?
Furthermore , is it possible to deploy EmrEtlRunner in different account than where RS and Snowplow live? Is this kind of setup recommended ?