Why do you need IAM policies at all to run a service that works on localhost on AWS? I would expect that you need IAM policies if your app integrates with the AWS platform, which it definitely wasn't doing on localhost, or if you are running multiple services in the same account and want to lock them down (e.g. not have services access each other's S3 buckets and such).