Allow users to list excluded policies from the `PolicyManager`

[desteves]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Problem:

I want to exclude one or two policies when using out-of-the-box compliance packages, e.g., the aws s3 pcidds policies. To my knowledge, the only way of achieving this is to do a selectPoliciesByName with the long list of included policies, and hope I didn't miss any. Example, to exclude aws-s3-bucket-enable-replication-configuration, I have to the following:

new PolicyPack("compliance-ready-policies-" + name, {
    policies: [
        ...policyManager.selectPoliciesByName(
            [
                "aws-s3-bucket-configure-replication-configuration",
                "aws-s3-bucket-configure-server-side-encryption-customer-managed-key",
                "aws-s3-bucket-configure-server-side-encryption-kms",
                "aws-s3-bucket-disallow-public-read",
                "aws-s3-bucket-enable-replication-configuration",
                "aws-s3-bucket-enable-server-side-encryption",
                "aws-s3-bucket-enable-server-side-encryption-bucket-key",
                "awsnative-s3-bucket-configure-replication-configuration",
                "awsnative-s3-bucket-configure-server-side-encryption-customer-managed-key",
                "awsnative-s3-bucket-configure-server-side-encryption-kms",
                "awsnative-s3-bucket-disallow-public-read",
                "awsnative-s3-bucket-enable-replication-configuration",
                "awsnative-s3-bucket-enable-server-side-encryption",
                "awsnative-s3-bucket-enable-server-side-encryption-bucket-key",
            ]   // services: ["s3"],
            , "mandatory"),
    ]
});

Potential solution:

Similar to how we have a selectPolicies, we could have an excludePolicies equivalent.

Affected area/feature