alt Hacker News+1 on the IAM over engineering, though to AWS credit, I suspect it was evolved rather than design, and that's what you get when evolution has to maintain some level of backward compatibility (think humans still having to be able to lay eggs). Another thing that happens occasionally for saas companies is AWS creating a copy of their product in a bit sus way - but it's not a technical problem, it's a business model problem.
This is unfortunately unavoidable for any system like IAM. All of them evolve into monstrosity because of so many conflicting requirements. Most importantly being simple and tractable on one end and being able to express any imaginable predicate on another.