I recently applied the reference template to an organisation and found that these custom types were not permitted to perform their IAM Actions. I tracked this down to the self protect SCP which limits access to the ec2:DisableEbsEncryptionByDefault and s3:PutAccountPublicAccessBlock IAM Actions. These updated versions place their IAM Role in the /community-types/ Path which the SCP self-protect policy permits to perform the IAM Actions they execute.
I recently applied the reference template to an organisation and found that these custom types were not permitted to perform their IAM Actions. I tracked this down to the self protect SCP which limits access to the
ec2:DisableEbsEncryptionByDefaultands3:PutAccountPublicAccessBlockIAM Actions. These updated versions place their IAM Role in the/community-types/Path which the SCP self-protect policy permits to perform the IAM Actions they execute.