Before we introduce this recipe, we need to talk briefly about Identity and Access Management (IAM). It's free and is enabled on every account. It allows you to create groups and users and allows you to control exactly what they can and can't do using policy assignment.
By default, groups and users will have no permissions until you assign them either an AWS Managed Policy or a Customer Managed Policy (one which you manage). You'll want to use AWS Managed Policies as much as possible to avoid having to create and maintain your own.
You pretty much never want to assign a policy ...