IAM::Role PermissionBoundary

[ambsw-technology]

I have a customer who cannot create Roles without incorporating a PermissionsBoundary. My initialization templates deploy a couple of your custom resources (cfn-certificate-provider, cfn-lb-ip-address-provider) and, of course, lambda-based Custom Resources include a Role. I'd like to submit PRs to the two I'm currently using to add a parameter to support this, but wanted to open the issue here in case it makes sense to incorporate it into your template as well.

[ambsw-technology]

Apparently this situation isn't terribly common, but my best guess is that it's motivated by this:

How can I use permissions boundaries to limit the scope of IAM users and roles and prevent privilege escalation?

The client confirmed that every Role must have the permission boundary attached.