What is the minimum permissions needed to enable devs to run AWS Amplify locally?

Question

Assumptions

1. You have a single AWS Organization, "MyOrg", and single AWS Account, "MyAccountId"
2. Authn + Authz are managed by AWS Identity Center (for human users)
3. There is a pre-existing AWS Amplify App (v5) with the following setup:
   1. Hosting Environment: dev, prod
      1. The hosted app is a NextJS web app [1]
   2. Backend Environment: dev, prod
      1. The "auth" Category is enabled
         • Self-registration is disabled
4. The frontend app hosted on a Hosting Environment use AWS Amplify's client sdk, amplify-js [1], for authenticating with a Backend Environment.
5. You have access to an administrator account to modify any of the above.

Goal

You want to onboard another developer to be able to run the frontend app locally; specifically the developer should be able to:

1. Run the frontend app locally (via cmdline).
2. Authenticate as user, "user1" [2], with the "dev" Backend Environment through their local frontend app.
3. Use the frontend app consistent with that of a frontend app hosted in a Hosting Environment backed by the same "dev" Backend Environment.

The developer should NOT be able to: 4. Run AWS Amplify CLI to modify or delete Backend Environments in any way (e.g. remove a category, or change a categories configuration). Assume the frontend app itself does not require such modification or deletion as part of it's function.

Challenge

1. To run the frontend app locally, you need to setup AWS amplify's CLI as per this documentation However, it does not follow the principal of least privilege, using the AdministratorAccess-Amplify AWS-managed policy. This policy allows a developer to perform all actions, including the deletion of apps, re-configuration of categories, and more.

What you've setup already

1. Added a user for the developer in AWS Identity Center.
   • The developer can login to the organization's SSO portal.
2. Added the user to a group, "Frontend Developers Group", which is associated to the permission set, "Frontend Developer".
   • The developer can login to the AWS Account, "MyAccountId", as "Frontend Developer".
3. Added a user to the "dev" app (in the "dev" Backend Environment's auth user pool (AWS Cognito))
   • The developer can login to the frontend app (if backed by the "dev" Backend Environment).
4. The user has correctly configured their AWS profile to use the "Frontend Developer" permission as per this documentation.
   • The user can successfully authenticate their AWS CLI and Amplify CLI using a profile with the "Frontend Developer" permission set.

The Question

What IAM Policy, AWS-managed or inline, should I associate with the "Frontend Developer" Permission Set to successfully configure AWS Amplify CLI s.t. the developer cannot run destructive (delete, or edit) actions against an Amplify Backend Environment, but still allows them to read / use backend environments within a frontend app using amplify's client SDKs?

What I've tried already

I have tried to look through AWS' managed policies, and found only 2: AdministratorAccess-Amplify AmplifyBackendDeployFullAccess

both have rather large permission boundaries and do not fit the use case. I'm looking for something like "AmplifyReadOnly". Looking through the permissions defined within those policies, I have not been able to discern exactly what permissions are needed for the AWS Amplify CLI itself to work. This discernment is difficult because it requires knowing what the AWS Amplify CLI is doing under the hood.

My current recourse is to keep tweaking the IAM Policy, adding one permission at a time. Unfortunately, this approach relies on the CLI giving useful errors, and potentially, a lot of time. Another concern is that running commands, like destructive commands, are scary (even if you make a test app, you're only a few keystrokes away from accidentally deleting something you didn't want to). Lastly, my experience has found AWS Amplify's CLI toolchain to be very brittle if you don't use it exactly in the few ways it works for (even if it, on the surface level, would suggest it supports more options e.g. needing to always have an unauthenticated user role defined, even if you don't want unauthenticated access).

Footnotes

[1] A NextJS web app for the AWS Amplify App using amplify-js for the AWS Amplify client-side SDK is chosen for illustrative purposes; this question is aimed at an AWS Amplify App with any client-side SDK (those choices shouldn't drive the answer - it should be used for illustrative examples in the answer). [2] The actual user they authenticate as is unimportant. Naming is used for clarity.