Create a single IAM role for each AWS Lambda.
Do not try to create one role for everything or even 1 role for multiple Lambdas. That way you don’t have to give permissions to a function that it shouldn’t have.
Not giving a Lambda function permissions means that it can’t do things like accidentally delete something.
It does mean that you have to deploy permissions with each function, and that’s not perfect, but it’s not too onerous either.
As an aside, when you have an EC2 Instance that is your whole application, you have to give all the permissions it needs, which may be multiple parts of the AWS ecosystem (RDS, S3, Lambda, DynamoDB etc).
When you have multiple permissions, you open up potential problems with data.
You also open up potential problems for your developers. Any developer can take advantage of any permission.
So, keep it simple:
One IAM role for each AWS Lambda function