When creating your access policies, you should ensure that the access you are assigning and the minimal permissions required to perform the task that the identity is required to perform. For example, you would not assign the following policy if the identities associated with that policy only needed PUT access to a specific bucket:

{ 
  "Version": "2012-10-17", 
  "Statement": [ 
    { 
      "Effect": "Allow", 
      "Action": "s3:*", 
      "Resource": "*" 
    } 
  ] 
}

With this policy, it gives the identities associated full access to all permissions of S3 across all buckets within your AWS account. Giving the identity far greater access than they need allows for actions that can perform any S3 action, which would mean objects could get deleted or even made public. If their role does not require them to carry out any of these functions, then the policy should reflect the requirements.