Weakness in the Lambda code

[daftkid]

Today just noticed that if someone creates a new IAM user or IAM role and specifies permission boundaries policy during the role/user creation (for example, via creation wizard) and this policy is AWS-managed, Lambda function will not be able to update this policy to be equal to our "correct" policy and fail.

After that IAM user/role's permission boundaries policy will remain the same as specified in a creation request and "correct" policy will not be enforced.

It's needed to manually change policy for each "broken" user/role.

Please see the code here: https://github.com/aws-samples/scp-alternative-solution/blob/main/lambda/scp-iam-event-dispatcher.py#L430