Least-privilege IAM for SDK calls

Your SDKDemo function can call STS because GetCallerIdentity requires no explicit permissions. But most SDK operations need IAM grants on the execution role. In this exercise, you'll update the function to call S3, observe the AccessDenied error, and learn how least-privilege policies should be structured to fix it.