ambsw-technology
commented
4 years ago Apparently this situation isn't terribly common, but my best guess is that it's motivated by this:
The client confirmed that every Role must have the permission boundary attached.
I have a customer who cannot create Roles without incorporating a
PermissionsBoundary. My initialization templates deploy a couple of your custom resources (cfn-certificate-provider,cfn-lb-ip-address-provider) and, of course, lambda-based Custom Resources include a Role. I'd like to submit PRs to the two I'm currently using to add a parameter to support this, but wanted to open the issue here in case it makes sense to incorporate it into your template as well.