>Even if I pretend I don't know anything about AWS, if somebody handed me credentials with access called "FullAdminAccess" and told me to use them for my little script that only needs read-only access to S3 I would be extremely skeptical.
If you ask for an access key for your little script and get one, you usually only check if it works for your case and not always check if it has any other access, so I can easily see it happening without proper access controls.
It might not necessarily be the developer who's at fault, my point is more that somebody in the chain knew the request was for S3 read access and the key was for FullAdminAccess.
At my job the alarm bells would be ringing and they would bring this up, but Infosys doesn't seem to have a culture that promotes that kind of security awareness.
I agree, but that tells me you are much more detail oriented than many developers I've worked with. Most devs at the 70-100k a year range are phoning it in 9-5 and only check exactly the boxes a PM and QA person make them check. I very rarely see developers who are in the standard deviation below median make that kind of check. These are good productive developers who get lots of tickets done.
If you ask for an access key for your little script and get one, you usually only check if it works for your case and not always check if it has any other access, so I can easily see it happening without proper access controls.