An e-commerce company is developing a recommendation system using Amazon SageMaker. They want to ensure that only specific IAM roles have access to SageMaker resources and the S3 buckets containing training data and model artifacts. Which IAM best practices should the company follow to securely manage access to these resources?