From 809776a87d030baeee5d0a770b5eb6af244a4afa Mon Sep 17 00:00:00 2001
From: Shawn Huckabay <shuckabay@flexera.com>
Date: Fri, 13 Dec 2024 15:04:14 -0600
Subject: [PATCH] POL-1430 Automate Updating AWS CloudFormation Template
 (#2883)

* update

* fix

* update

* fix

* update

* fix

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update
---
 .github/workflows/cfn-lint.yaml               |   12 +-
 .github/workflows/cfn-test.yaml               |   23 +-
 .../generate-aws-cloudformation-template.yaml |   10 +-
 .../update-aws-cloudformation-template.yaml   |   51 +
 cost/aws/s3_lifecycle/README.md               |    4 +-
 .../master_policy_permissions_list.json       |   70 +-
 .../master_policy_permissions_list.yaml       |   45 +-
 .../FlexeraAutomationPolicies.template        | 4444 +++++++++++++++--
 ...FlexeraAutomationPoliciesReadOnly.template |   51 +-
 tools/cloudformation-template/README.md       |   14 +-
 .../aws_cft_generator.rb                      |   10 +-
 .../aws_cft_generator.template.txt            |    1 -
 .../aws_cft_new_release.rb                    |   37 +
 ...FlexeraAutomationPolicies_v0.9.0.template} |   78 +-
 .../validated_policy_templates.yaml           |    1 -
 15 files changed, 4178 insertions(+), 673 deletions(-)
 create mode 100644 .github/workflows/update-aws-cloudformation-template.yaml
 rename tools/cloudformation-template/{rolling => }/FlexeraAutomationPoliciesReadOnly.template (98%)
 create mode 100644 tools/cloudformation-template/aws_cft_new_release.rb
 rename tools/cloudformation-template/{rolling/FlexeraAutomationPolicies.template => releases/FlexeraAutomationPolicies_v0.9.0.template} (98%)

diff --git a/.github/workflows/cfn-lint.yaml b/.github/workflows/cfn-lint.yaml
index 9ec0cf2e2a..9e424417a6 100644
--- a/.github/workflows/cfn-lint.yaml
+++ b/.github/workflows/cfn-lint.yaml
@@ -8,6 +8,9 @@ on:
     branches:
       - master
 
+  # Workflow dispatch trigger allows manually running workflow
+  workflow_dispatch: {}
+
 jobs:
   cloudformation-linter:
     runs-on: ubuntu-latest
@@ -16,8 +19,13 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
-      - name: Setup Cloud Formation Linter with Latest Version
-        uses: scottbrenner/cfn-lint-action@v2
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install cfn-lint
+        run: pip install cfn-lint
 
       - name: Print the Cloud Formation Linter Version & run Linter.
         run: |
diff --git a/.github/workflows/cfn-test.yaml b/.github/workflows/cfn-test.yaml
index 4abb14d4ef..1bd6c82a62 100644
--- a/.github/workflows/cfn-test.yaml
+++ b/.github/workflows/cfn-test.yaml
@@ -19,25 +19,20 @@ jobs:
       matrix:
         # matrix.template_files is a list of template files to test
         template_files:
-          - ./cost/aws/FlexeraReadOnlyPolicy.template
           - ./tools/cloudformation-template/FlexeraAutomationPolicies.template
-
-          # TODO: Fix wildcard/dynamic release list
-          # - ./tools/cloudformation-template/releases/*.template
-
-          # Staticly define release templates for now
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.1.0.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.1.1.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.2.0.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.2.1.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.3.0.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.4.0.template
+          - ./tools/cloudformation-template/FlexeraAutomationPoliciesReadOnly.template
+          - ./tools/cloudformation-template/FlexeraAutomationPoliciesSimple.template
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
-      - name: Setup Cloud Formation Linter with Latest Version
-        uses: scottbrenner/cfn-lint-action@v2
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install cfn-lint
+        run: pip install cfn-lint
 
       - name: Run Cloudformation Linter
         id: cfn-lint
diff --git a/.github/workflows/generate-aws-cloudformation-template.yaml b/.github/workflows/generate-aws-cloudformation-template.yaml
index 485766ccd7..40bad365d1 100644
--- a/.github/workflows/generate-aws-cloudformation-template.yaml
+++ b/.github/workflows/generate-aws-cloudformation-template.yaml
@@ -1,4 +1,4 @@
-name: Generate Meta Parent Policy Templates
+name: Generate AWS CloudFormation Template
 
 on:
   # Trigger this workflow on pushes to master
@@ -31,10 +31,10 @@ jobs:
         id: cpr
         uses: peter-evans/create-pull-request@v4
         with:
-          commit-message: "Update AWS CloudFormation Template"
-          title: "Update AWS CloudFormation Template"
-          body: "Update AWS CloudFormation Template from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
-          branch: "task/update-aws-cloudformation-template"
+          commit-message: "Generate AWS CloudFormation Template"
+          title: "Generate AWS CloudFormation Template"
+          body: "Generate AWS CloudFormation Template from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
+          branch: "task/generate-aws-cloudformation-template"
           delete-branch: true
           labels: "automation"
 
diff --git a/.github/workflows/update-aws-cloudformation-template.yaml b/.github/workflows/update-aws-cloudformation-template.yaml
new file mode 100644
index 0000000000..90f2dd8c76
--- /dev/null
+++ b/.github/workflows/update-aws-cloudformation-template.yaml
@@ -0,0 +1,51 @@
+name: Update AWS CloudFormation Template Release
+
+on:
+  schedule:
+    #        ┌───────────── minute (0 - 59)
+    #        │  ┌───────────── hour (0 - 23)
+    #        │  │ ┌───────────── day of the month (1 - 31)
+    #        │  │ │ ┌───────────── month (1 - 12 or JAN-DEC)
+    #        │  │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
+    #        │  │ │ │ │
+    #        │  │ │ │ │
+    #        │  │ │ │ │
+    #        *  * * * *
+    # At 12am daily
+    - cron: "0 0 * * *"
+
+  # Workflow dispatch trigger allows manually running workflow
+  workflow_dispatch: {}
+
+jobs:
+  meta-parent-policy-templates:
+    name: "Update AWS CloudFormation Template"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # Speed up checkout by not fetching history
+
+      - uses: ruby/setup-ruby@v1
+
+      - name: Update AWS CloudFormation Template
+        working-directory: tools/cloudformation-template
+        run: |
+          ruby aws_cft_new_release.rb
+
+      - name: Create Pull Request
+        id: cpr
+        uses: peter-evans/create-pull-request@v4
+        with:
+          commit-message: "Update AWS CloudFormation Template Release"
+          title: "Update AWS CloudFormation Template Release"
+          body: "Update AWS CloudFormation Template Release from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
+          branch: "task/update-aws-cloudformation-template-release"
+          delete-branch: true
+          labels: "automation"
+
+      - name: Check outputs
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
diff --git a/cost/aws/s3_lifecycle/README.md b/cost/aws/s3_lifecycle/README.md
index e3d0d6eb68..5d56630454 100644
--- a/cost/aws/s3_lifecycle/README.md
+++ b/cost/aws/s3_lifecycle/README.md
@@ -34,7 +34,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/
   - `s3:ListAllMyBuckets`
   - `s3:GetBucketLocation`
   - `s3:GetBucketTagging`
-  - `s3:GetBucketLifecycleConfiguration`
+  - `s3:GetLifecycleConfiguration`
   - `sts:GetCallerIdentity`
 
   Example IAM Permission Policy:
@@ -49,7 +49,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/
                   "s3:ListAllMyBuckets",
                   "s3:GetBucketLocation",
                   "s3:GetBucketTagging",
-                  "s3:GetBucketLifecycleConfiguration",
+                  "s3:GetLifecycleConfiguration",
                   "sts:GetCallerIdentity"
               ],
               "Resource": "*"
diff --git a/data/policy_permissions_list/master_policy_permissions_list.json b/data/policy_permissions_list/master_policy_permissions_list.json
index 7cc40460c6..e2a84d18c6 100644
--- a/data/policy_permissions_list/master_policy_permissions_list.json
+++ b/data/policy_permissions_list/master_policy_permissions_list.json
@@ -2537,7 +2537,7 @@
               "required": true
             },
             {
-              "name": "s3:GetBucketLifecycleConfiguration",
+              "name": "s3:GetLifecycleConfiguration",
               "read_only": true,
               "required": true
             },
@@ -2953,72 +2953,6 @@
         }
       ]
     },
-    {
-      "id": "./cost/aws/superseded_instances/aws_superseded_instances.pt",
-      "name": "AWS Superseded EC2 Instances",
-      "version": "2.3.3",
-      "providers": [
-        {
-          "name": "aws",
-          "permissions": [
-            {
-              "name": "ec2:DescribeRegions",
-              "read_only": true,
-              "required": true
-            },
-            {
-              "name": "ec2:DescribeInstances",
-              "read_only": true,
-              "required": true
-            },
-            {
-              "name": "ec2:DescribeInstanceStatus",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "ec2:DescribeTags",
-              "read_only": true,
-              "required": true
-            },
-            {
-              "name": "ec2:ModifyInstanceAttribute",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "ec2:StartInstances",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "ec2:StopInstances",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "sts:GetCallerIdentity",
-              "read_only": true,
-              "required": true
-            }
-          ]
-        },
-        {
-          "name": "flexera",
-          "permissions": [
-            {
-              "name": "billing_center_viewer",
-              "read_only": true,
-              "required": true
-            }
-          ]
-        }
-      ]
-    },
     {
       "id": "./cost/aws/unused_albs/aws_unused_albs.pt",
       "name": "AWS Unused Application Load Balancers",
@@ -10176,4 +10110,4 @@
       ]
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/policy_permissions_list/master_policy_permissions_list.yaml b/data/policy_permissions_list/master_policy_permissions_list.yaml
index a2da1fd1c0..ee580fa632 100644
--- a/data/policy_permissions_list/master_policy_permissions_list.yaml
+++ b/data/policy_permissions_list/master_policy_permissions_list.yaml
@@ -1458,7 +1458,7 @@
     - name: s3:GetBucketTagging
       read_only: true
       required: true
-    - name: s3:GetBucketLifecycleConfiguration
+    - name: s3:GetLifecycleConfiguration
       read_only: true
       required: true
     - name: sts:GetCallerIdentity
@@ -1700,49 +1700,6 @@
     - name: billing_center_viewer
       read_only: true
       required: true
-- id: "./cost/aws/superseded_instances/aws_superseded_instances.pt"
-  name: AWS Superseded EC2 Instances
-  version: 2.3.3
-  :providers:
-  - :name: aws
-    :permissions:
-    - name: ec2:DescribeRegions
-      read_only: true
-      required: true
-    - name: ec2:DescribeInstances
-      read_only: true
-      required: true
-    - name: ec2:DescribeInstanceStatus
-      read_only: false
-      required: false
-      description: Only required for taking action; the policy will still function
-        in a read-only capacity without these permissions.
-    - name: ec2:DescribeTags
-      read_only: true
-      required: true
-    - name: ec2:ModifyInstanceAttribute
-      read_only: false
-      required: false
-      description: Only required for taking action; the policy will still function
-        in a read-only capacity without these permissions.
-    - name: ec2:StartInstances
-      read_only: false
-      required: false
-      description: Only required for taking action; the policy will still function
-        in a read-only capacity without these permissions.
-    - name: ec2:StopInstances
-      read_only: false
-      required: false
-      description: Only required for taking action; the policy will still function
-        in a read-only capacity without these permissions.
-    - name: sts:GetCallerIdentity
-      read_only: true
-      required: true
-  - :name: flexera
-    :permissions:
-    - name: billing_center_viewer
-      read_only: true
-      required: true
 - id: "./cost/aws/unused_albs/aws_unused_albs.pt"
   name: AWS Unused Application Load Balancers
   version: 0.2.3
diff --git a/tools/cloudformation-template/FlexeraAutomationPolicies.template b/tools/cloudformation-template/FlexeraAutomationPolicies.template
index b4b02d7866..c0a7adb02e 100644
--- a/tools/cloudformation-template/FlexeraAutomationPolicies.template
+++ b/tools/cloudformation-template/FlexeraAutomationPolicies.template
@@ -1,5 +1,6 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: "CloudFormation Stack with IAM Role and IAM Permission Policy used by Flexera Automation. Official Docs: https://docs.flexera.com/"
+# For more details, see: https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/README.md
 
 Metadata:
   # AWS::CloudFormation::Interface is a metadata key that defines how parameters are grouped and sorted in the AWS CloudFormation console.
@@ -22,23 +23,171 @@ Metadata:
       - Label:
           default: "Parameters related to Policy Template permissions on the IAM Role that is created"
         Parameters:
-          #### For each policy template append:
-          # - paramPerms<PolicyTemplateNameNoSpaces>
-          - paramPermsAWSUnusedVolumes
-          - paramPermsAWSRightsizeEBSVolumes
-          - paramPermsAWSRightsizeRDSInstances
-          - paramPermsAWSUnusedIPAddresses
-          - paramPermsAWSUnusedCLBs
+          ## All AWS Policy Templates
+          - paramPermsAllAWSPolicyTemplates
+          ## AWS Account Credentials
+          - paramPermsAWSAccountCredentials
+          ## AWS Accounts Missing Service Control Policies
+          - paramPermsAWSAccountsMissingServiceControlPolicies
+          ## AWS Burstable EC2 Instances
+          - paramPermsAWSBurstableEC2Instances
+          ## AWS CloudTrail Not Enabled In All Regions
+          - paramPermsAWSCloudTrailNotEnabledInAllRegions
+          ## AWS CloudTrail S3 Buckets Without Access Logging
+          - paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging
+          ## AWS CloudTrails Not Integrated With CloudWatch
+          - paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch
+          ## AWS CloudTrails With Read Logging Enabled
+          - paramPermsAWSCloudTrailsWithReadLoggingEnabled
+          ## AWS CloudTrails Without Encrypted Logs
+          - paramPermsAWSCloudTrailsWithoutEncryptedLogs
+          ## AWS CloudTrails Without Log File Validation Enabled
+          - paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled
+          ## AWS CloudTrails Without Object-level Events Logging Enabled
+          - paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled
+          ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled
+          - paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled
+          ## AWS Disallowed Regions
+          - paramPermsAWSDisallowedRegions
+          ## AWS EC2 Compute Optimizer Recommendations
+          - paramPermsAWSEC2ComputeOptimizerRecommendations
+          ## AWS EC2 Instances Time Stopped Report
+          - paramPermsAWSEC2InstancesTimeStoppedReport
+          ## AWS EC2 Instances not running FlexNet Inventory Agent
+          - paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent
+          ## AWS EKS Clusters Without Spot Instances
+          - paramPermsAWSEKSClustersWithoutSpotInstances
+          ## AWS Elastic Load Balancers With Unencrypted Listeners
+          - paramPermsAWSElasticLoadBalancersWithUnencryptedListeners
+          ## AWS Expiring Savings Plans
+          - paramPermsAWSExpiringSavingsPlans
+          ## AWS IAM Account Missing Support Role
+          - paramPermsAWSIAMAccountMissingSupportRole
+          ## AWS IAM Attached Admin Policies
+          - paramPermsAWSIAMAttachedAdminPolicies
+          ## AWS IAM Expired SSL/TLS Certificates
+          - paramPermsAWSIAMExpiredSSLTLSCertificates
+          ## AWS IAM Insufficient Required Password Length
+          - paramPermsAWSIAMInsufficientRequiredPasswordLength
+          ## AWS IAM Password Policy Not Restricting Password Reuse
+          - paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse
+          ## AWS IAM Role Audit
+          - paramPermsAWSIAMRoleAudit
+          ## AWS IAM Root Account Access Keys
+          - paramPermsAWSIAMRootAccountAccessKeys
+          ## AWS IAM Root User Account Without Hardware MFA
+          - paramPermsAWSIAMRootUserAccountWithoutHardwareMFA
+          ## AWS IAM Root User Account Without MFA
+          - paramPermsAWSIAMRootUserAccountWithoutMFA
+          ## AWS IAM Root User Doing Everyday Tasks
+          - paramPermsAWSIAMRootUserDoingEverydayTasks
+          ## AWS IAM User Accounts Without MFA
+          - paramPermsAWSIAMUserAccountsWithoutMFA
+          ## AWS IAM Users With Directly-Attached Policies
+          - paramPermsAWSIAMUsersWithDirectlyAttachedPolicies
+          ## AWS IAM Users With Multiple Active Access Keys
+          - paramPermsAWSIAMUsersWithMultipleActiveAccessKeys
+          ## AWS IAM Users With Old Access Keys
+          - paramPermsAWSIAMUsersWithOldAccessKeys
+          ## AWS Idle NAT Gateways
+          - paramPermsAWSIdleNATGateways
+          ## AWS Internet-Accessible Elastic Load Balancers
+          - paramPermsAWSInternetAccessibleElasticLoadBalancers
+          ## AWS Lambda Functions With High Error Rate
+          - paramPermsAWSLambdaFunctionsWithHighErrorRate
+          ## AWS Lambda Functions Without Provisioned Concurrency
+          - paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency
+          ## AWS Long Running Instances
+          - paramPermsAWSLongRunningInstances
+          ## AWS Long Stopped EC2 Instances
+          - paramPermsAWSLongStoppedEC2Instances
+          ## AWS Missing Regions
+          - paramPermsAWSMissingRegions
+          ## AWS Old Snapshots
           - paramPermsAWSOldSnapshots
+          ## AWS Open S3 Buckets
+          - paramPermsAWSOpenS3Buckets
+          ## AWS Oversized S3 Buckets
+          - paramPermsAWSOversizedS3Buckets
+          ## AWS Publicly Accessible CloudTrail S3 Buckets
+          - paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets
+          ## AWS Publicly Accessible RDS Instances
+          - paramPermsAWSPubliclyAccessibleRDSInstances
+          ## AWS RDS Instances With Unapproved Backup Settings
+          - paramPermsAWSRDSInstancesWithUnapprovedBackupSettings
+          ## AWS Regions Without Access Analyzer Enabled
+          - paramPermsAWSRegionsWithoutAccessAnalyzerEnabled
+          ## AWS Regions Without Config Fully Enabled
+          - paramPermsAWSRegionsWithoutConfigFullyEnabled
+          ## AWS Regions Without Default EBS Encryption
+          - paramPermsAWSRegionsWithoutDefaultEBSEncryption
+          ## AWS Reserved Instances Coverage
+          - paramPermsAWSReservedInstancesCoverage
+          ## AWS Reserved Instances Recommendations
+          - paramPermsAWSReservedInstancesRecommendations
+          ## AWS Rightsize EBS Volumes
+          - paramPermsAWSRightsizeEBSVolumes
+          ## AWS Rightsize EC2 Instances
           - paramPermsAWSRightsizeEC2Instances
-          - paramPermsAWSSupersededEC2Instances
-          - paramPermsAWSReservedInstancesRecommendation
-          - paramPermsAWSObjectStorageOptimization
-          - paramPermsAWSExpiringSavingsPlans
+          ## AWS Rightsize ElastiCache
+          - paramPermsAWSRightsizeElastiCache
+          ## AWS Rightsize RDS Instances
+          - paramPermsAWSRightsizeRDSInstances
+          ## AWS Rightsize Redshift
+          - paramPermsAWSRightsizeRedshift
+          ## AWS S3 Buckets Accepting HTTP Requests
+          - paramPermsAWSS3BucketsAcceptingHTTPRequests
+          ## AWS S3 Buckets Without Default Encryption Configuration
+          - paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration
+          ## AWS S3 Buckets Without Intelligent Tiering
+          - paramPermsAWSS3BucketsWithoutIntelligentTiering
+          ## AWS S3 Buckets Without Lifecycle Configuration
+          - paramPermsAWSS3BucketsWithoutLifecycleConfiguration
+          ## AWS S3 Buckets Without MFA Delete Enabled
+          - paramPermsAWSS3BucketsWithoutMFADeleteEnabled
+          ## AWS S3 Buckets Without Public Access Blocked
+          - paramPermsAWSS3BucketsWithoutPublicAccessBlocked
+          ## AWS S3 Buckets Without Server Access Logging
+          - paramPermsAWSS3BucketsWithoutServerAccessLogging
+          ## AWS S3 Incomplete Multi-Part Uploads
+          - paramPermsAWSS3IncompleteMultiPartUploads
+          ## AWS Savings Plan Recommendations
           - paramPermsAWSSavingsPlanRecommendations
+          ## AWS Savings Plan Utilization
           - paramPermsAWSSavingsPlanUtilization
+          ## AWS Schedule Instance
+          - paramPermsAWSScheduleInstance
+          ## AWS Scheduled EC2 Events
+          - paramPermsAWSScheduledEC2Events
+          ## AWS Superseded EBS Volumes
+          - paramPermsAWSSupersededEBSVolumes
+          ## AWS Superseded EC2 Instances
+          - paramPermsAWSSupersededEC2Instances
+          ## AWS Tag Cardinality Report
           - paramPermsAWSTagCardinalityReport
+          ## AWS Unencrypted EBS Volumes
+          - paramPermsAWSUnencryptedEBSVolumes
+          ## AWS Unencrypted RDS Instances
+          - paramPermsAWSUnencryptedRDSInstances
+          ## AWS Untagged Resources
           - paramPermsAWSUntaggedResources
+          ## AWS Unused Application Load Balancers
+          - paramPermsAWSUnusedApplicationLoadBalancers
+          ## AWS Unused Classic Load Balancers
+          - paramPermsAWSUnusedClassicLoadBalancers
+          ## AWS Unused ECS Clusters
+          - paramPermsAWSUnusedECSClusters
+          ## AWS Unused IAM Credentials
+          - paramPermsAWSUnusedIAMCredentials
+          ## AWS Unused IP Addresses
+          - paramPermsAWSUnusedIPAddresses
+          ## AWS Unused Network Load Balancers
+          - paramPermsAWSUnusedNetworkLoadBalancers
+          ## AWS VPCs Without FlowLogs Enabled
+          - paramPermsAWSVPCsWithoutFlowLogsEnabled
+          ## Common Bill Ingestion from AWS S3 Object Storage
+          - paramPermsCommonBillIngestionfromAWSS3ObjectStorage
+
           # End for each policy template
           - paramPermsAttachExistingPolicies
     # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-parameterlabel.html
@@ -53,39 +202,253 @@ Metadata:
         default: "Flexera Organization ID"
       paramFlexeraZone:
         default: "Flexera Zone"
-      #### For each policy template append:
-      # paramPerms<PolicyTemplateNameNoSpaces>:
-      #   default: "Permissions for Policy Template: <Policy Template Name>"
-      paramPermsAWSUnusedVolumes:
-        default: "Permissions for Policy Template: AWS Unused Volumes"
-      paramPermsAWSRightsizeEBSVolumes:
-        default: "Permissions for Policy Template: AWS Rightsize EBS Volumes"
-      paramPermsAWSRightsizeRDSInstances:
-        default: "Permissions for Policy Template: AWS Rightsize RDS Instances"
-      paramPermsAWSUnusedIPAddresses:
-        default: "Permissions for Policy Template: AWS Unused IP Addresses"
-      paramPermsAWSUnusedCLBs:
-        default: "Permissions for Policy Template: AWS Unused Classic Load Balancers"
+      ## All AWS Policy Templates
+      paramPermsAllAWSPolicyTemplates:
+        default: "Permissions for all AWS Policy Templates"
+      ## AWS Account Credentials
+      paramPermsAWSAccountCredentials:
+        default: "Permissions for Policy Template: AWS Account Credentials"
+      ## AWS Accounts Missing Service Control Policies
+      paramPermsAWSAccountsMissingServiceControlPolicies:
+        default: "Permissions for Policy Template: AWS Accounts Missing Service Control Policies"
+      ## AWS Burstable EC2 Instances
+      paramPermsAWSBurstableEC2Instances:
+        default: "Permissions for Policy Template: AWS Burstable EC2 Instances"
+      ## AWS CloudTrail Not Enabled In All Regions
+      paramPermsAWSCloudTrailNotEnabledInAllRegions:
+        default: "Permissions for Policy Template: AWS CloudTrail Not Enabled In All Regions"
+      ## AWS CloudTrail S3 Buckets Without Access Logging
+      paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging:
+        default: "Permissions for Policy Template: AWS CloudTrail S3 Buckets Without Access Logging"
+      ## AWS CloudTrails Not Integrated With CloudWatch
+      paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch:
+        default: "Permissions for Policy Template: AWS CloudTrails Not Integrated With CloudWatch"
+      ## AWS CloudTrails With Read Logging Enabled
+      paramPermsAWSCloudTrailsWithReadLoggingEnabled:
+        default: "Permissions for Policy Template: AWS CloudTrails With Read Logging Enabled"
+      ## AWS CloudTrails Without Encrypted Logs
+      paramPermsAWSCloudTrailsWithoutEncryptedLogs:
+        default: "Permissions for Policy Template: AWS CloudTrails Without Encrypted Logs"
+      ## AWS CloudTrails Without Log File Validation Enabled
+      paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled:
+        default: "Permissions for Policy Template: AWS CloudTrails Without Log File Validation Enabled"
+      ## AWS CloudTrails Without Object-level Events Logging Enabled
+      paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled:
+        default: "Permissions for Policy Template: AWS CloudTrails Without Object-level Events Logging Enabled"
+      ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled
+      paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled:
+        default: "Permissions for Policy Template: AWS Customer Managed Keys (CMKs) Without Rotation Enabled"
+      ## AWS Disallowed Regions
+      paramPermsAWSDisallowedRegions:
+        default: "Permissions for Policy Template: AWS Disallowed Regions"
+      ## AWS EC2 Compute Optimizer Recommendations
+      paramPermsAWSEC2ComputeOptimizerRecommendations:
+        default: "Permissions for Policy Template: AWS EC2 Compute Optimizer Recommendations"
+      ## AWS EC2 Instances Time Stopped Report
+      paramPermsAWSEC2InstancesTimeStoppedReport:
+        default: "Permissions for Policy Template: AWS EC2 Instances Time Stopped Report"
+      ## AWS EC2 Instances not running FlexNet Inventory Agent
+      paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent:
+        default: "Permissions for Policy Template: AWS EC2 Instances not running FlexNet Inventory Agent"
+      ## AWS EKS Clusters Without Spot Instances
+      paramPermsAWSEKSClustersWithoutSpotInstances:
+        default: "Permissions for Policy Template: AWS EKS Clusters Without Spot Instances"
+      ## AWS Elastic Load Balancers With Unencrypted Listeners
+      paramPermsAWSElasticLoadBalancersWithUnencryptedListeners:
+        default: "Permissions for Policy Template: AWS Elastic Load Balancers With Unencrypted Listeners"
+      ## AWS Expiring Savings Plans
+      paramPermsAWSExpiringSavingsPlans:
+        default: "Permissions for Policy Template: AWS Expiring Savings Plans"
+      ## AWS IAM Account Missing Support Role
+      paramPermsAWSIAMAccountMissingSupportRole:
+        default: "Permissions for Policy Template: AWS IAM Account Missing Support Role"
+      ## AWS IAM Attached Admin Policies
+      paramPermsAWSIAMAttachedAdminPolicies:
+        default: "Permissions for Policy Template: AWS IAM Attached Admin Policies"
+      ## AWS IAM Expired SSL/TLS Certificates
+      paramPermsAWSIAMExpiredSSLTLSCertificates:
+        default: "Permissions for Policy Template: AWS IAM Expired SSL/TLS Certificates"
+      ## AWS IAM Insufficient Required Password Length
+      paramPermsAWSIAMInsufficientRequiredPasswordLength:
+        default: "Permissions for Policy Template: AWS IAM Insufficient Required Password Length"
+      ## AWS IAM Password Policy Not Restricting Password Reuse
+      paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse:
+        default: "Permissions for Policy Template: AWS IAM Password Policy Not Restricting Password Reuse"
+      ## AWS IAM Role Audit
+      paramPermsAWSIAMRoleAudit:
+        default: "Permissions for Policy Template: AWS IAM Role Audit"
+      ## AWS IAM Root Account Access Keys
+      paramPermsAWSIAMRootAccountAccessKeys:
+        default: "Permissions for Policy Template: AWS IAM Root Account Access Keys"
+      ## AWS IAM Root User Account Without Hardware MFA
+      paramPermsAWSIAMRootUserAccountWithoutHardwareMFA:
+        default: "Permissions for Policy Template: AWS IAM Root User Account Without Hardware MFA"
+      ## AWS IAM Root User Account Without MFA
+      paramPermsAWSIAMRootUserAccountWithoutMFA:
+        default: "Permissions for Policy Template: AWS IAM Root User Account Without MFA"
+      ## AWS IAM Root User Doing Everyday Tasks
+      paramPermsAWSIAMRootUserDoingEverydayTasks:
+        default: "Permissions for Policy Template: AWS IAM Root User Doing Everyday Tasks"
+      ## AWS IAM User Accounts Without MFA
+      paramPermsAWSIAMUserAccountsWithoutMFA:
+        default: "Permissions for Policy Template: AWS IAM User Accounts Without MFA"
+      ## AWS IAM Users With Directly-Attached Policies
+      paramPermsAWSIAMUsersWithDirectlyAttachedPolicies:
+        default: "Permissions for Policy Template: AWS IAM Users With Directly-Attached Policies"
+      ## AWS IAM Users With Multiple Active Access Keys
+      paramPermsAWSIAMUsersWithMultipleActiveAccessKeys:
+        default: "Permissions for Policy Template: AWS IAM Users With Multiple Active Access Keys"
+      ## AWS IAM Users With Old Access Keys
+      paramPermsAWSIAMUsersWithOldAccessKeys:
+        default: "Permissions for Policy Template: AWS IAM Users With Old Access Keys"
+      ## AWS Idle NAT Gateways
+      paramPermsAWSIdleNATGateways:
+        default: "Permissions for Policy Template: AWS Idle NAT Gateways"
+      ## AWS Internet-Accessible Elastic Load Balancers
+      paramPermsAWSInternetAccessibleElasticLoadBalancers:
+        default: "Permissions for Policy Template: AWS Internet-Accessible Elastic Load Balancers"
+      ## AWS Lambda Functions With High Error Rate
+      paramPermsAWSLambdaFunctionsWithHighErrorRate:
+        default: "Permissions for Policy Template: AWS Lambda Functions With High Error Rate"
+      ## AWS Lambda Functions Without Provisioned Concurrency
+      paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency:
+        default: "Permissions for Policy Template: AWS Lambda Functions Without Provisioned Concurrency"
+      ## AWS Long Running Instances
+      paramPermsAWSLongRunningInstances:
+        default: "Permissions for Policy Template: AWS Long Running Instances"
+      ## AWS Long Stopped EC2 Instances
+      paramPermsAWSLongStoppedEC2Instances:
+        default: "Permissions for Policy Template: AWS Long Stopped EC2 Instances"
+      ## AWS Missing Regions
+      paramPermsAWSMissingRegions:
+        default: "Permissions for Policy Template: AWS Missing Regions"
+      ## AWS Old Snapshots
       paramPermsAWSOldSnapshots:
         default: "Permissions for Policy Template: AWS Old Snapshots"
+      ## AWS Open S3 Buckets
+      paramPermsAWSOpenS3Buckets:
+        default: "Permissions for Policy Template: AWS Open S3 Buckets"
+      ## AWS Oversized S3 Buckets
+      paramPermsAWSOversizedS3Buckets:
+        default: "Permissions for Policy Template: AWS Oversized S3 Buckets"
+      ## AWS Publicly Accessible CloudTrail S3 Buckets
+      paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets:
+        default: "Permissions for Policy Template: AWS Publicly Accessible CloudTrail S3 Buckets"
+      ## AWS Publicly Accessible RDS Instances
+      paramPermsAWSPubliclyAccessibleRDSInstances:
+        default: "Permissions for Policy Template: AWS Publicly Accessible RDS Instances"
+      ## AWS RDS Instances With Unapproved Backup Settings
+      paramPermsAWSRDSInstancesWithUnapprovedBackupSettings:
+        default: "Permissions for Policy Template: AWS RDS Instances With Unapproved Backup Settings"
+      ## AWS Regions Without Access Analyzer Enabled
+      paramPermsAWSRegionsWithoutAccessAnalyzerEnabled:
+        default: "Permissions for Policy Template: AWS Regions Without Access Analyzer Enabled"
+      ## AWS Regions Without Config Fully Enabled
+      paramPermsAWSRegionsWithoutConfigFullyEnabled:
+        default: "Permissions for Policy Template: AWS Regions Without Config Fully Enabled"
+      ## AWS Regions Without Default EBS Encryption
+      paramPermsAWSRegionsWithoutDefaultEBSEncryption:
+        default: "Permissions for Policy Template: AWS Regions Without Default EBS Encryption"
+      ## AWS Reserved Instances Coverage
+      paramPermsAWSReservedInstancesCoverage:
+        default: "Permissions for Policy Template: AWS Reserved Instances Coverage"
+      ## AWS Reserved Instances Recommendations
+      paramPermsAWSReservedInstancesRecommendations:
+        default: "Permissions for Policy Template: AWS Reserved Instances Recommendations"
+      ## AWS Rightsize EBS Volumes
+      paramPermsAWSRightsizeEBSVolumes:
+        default: "Permissions for Policy Template: AWS Rightsize EBS Volumes"
+      ## AWS Rightsize EC2 Instances
       paramPermsAWSRightsizeEC2Instances:
         default: "Permissions for Policy Template: AWS Rightsize EC2 Instances"
-      paramPermsAWSSupersededEC2Instances:
-        default: "Permissions for Policy Template: AWS Superseded EC2 Instances"
-      paramPermsAWSReservedInstancesRecommendation:
-        default: "Permissions for Policy Template: AWS Reserved Instances Recommendation"
-      paramPermsAWSObjectStorageOptimization:
-        default: "Permissions for Policy Template: AWS Object Storage Optimization"
-      paramPermsAWSExpiringSavingsPlans:
-        default: "Permissions for Policy Template: AWS Expiring Savings Plans"
+      ## AWS Rightsize ElastiCache
+      paramPermsAWSRightsizeElastiCache:
+        default: "Permissions for Policy Template: AWS Rightsize ElastiCache"
+      ## AWS Rightsize RDS Instances
+      paramPermsAWSRightsizeRDSInstances:
+        default: "Permissions for Policy Template: AWS Rightsize RDS Instances"
+      ## AWS Rightsize Redshift
+      paramPermsAWSRightsizeRedshift:
+        default: "Permissions for Policy Template: AWS Rightsize Redshift"
+      ## AWS S3 Buckets Accepting HTTP Requests
+      paramPermsAWSS3BucketsAcceptingHTTPRequests:
+        default: "Permissions for Policy Template: AWS S3 Buckets Accepting HTTP Requests"
+      ## AWS S3 Buckets Without Default Encryption Configuration
+      paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration:
+        default: "Permissions for Policy Template: AWS S3 Buckets Without Default Encryption Configuration"
+      ## AWS S3 Buckets Without Intelligent Tiering
+      paramPermsAWSS3BucketsWithoutIntelligentTiering:
+        default: "Permissions for Policy Template: AWS S3 Buckets Without Intelligent Tiering"
+      ## AWS S3 Buckets Without Lifecycle Configuration
+      paramPermsAWSS3BucketsWithoutLifecycleConfiguration:
+        default: "Permissions for Policy Template: AWS S3 Buckets Without Lifecycle Configuration"
+      ## AWS S3 Buckets Without MFA Delete Enabled
+      paramPermsAWSS3BucketsWithoutMFADeleteEnabled:
+        default: "Permissions for Policy Template: AWS S3 Buckets Without MFA Delete Enabled"
+      ## AWS S3 Buckets Without Public Access Blocked
+      paramPermsAWSS3BucketsWithoutPublicAccessBlocked:
+        default: "Permissions for Policy Template: AWS S3 Buckets Without Public Access Blocked"
+      ## AWS S3 Buckets Without Server Access Logging
+      paramPermsAWSS3BucketsWithoutServerAccessLogging:
+        default: "Permissions for Policy Template: AWS S3 Buckets Without Server Access Logging"
+      ## AWS S3 Incomplete Multi-Part Uploads
+      paramPermsAWSS3IncompleteMultiPartUploads:
+        default: "Permissions for Policy Template: AWS S3 Incomplete Multi-Part Uploads"
+      ## AWS Savings Plan Recommendations
       paramPermsAWSSavingsPlanRecommendations:
         default: "Permissions for Policy Template: AWS Savings Plan Recommendations"
+      ## AWS Savings Plan Utilization
       paramPermsAWSSavingsPlanUtilization:
         default: "Permissions for Policy Template: AWS Savings Plan Utilization"
+      ## AWS Schedule Instance
+      paramPermsAWSScheduleInstance:
+        default: "Permissions for Policy Template: AWS Schedule Instance"
+      ## AWS Scheduled EC2 Events
+      paramPermsAWSScheduledEC2Events:
+        default: "Permissions for Policy Template: AWS Scheduled EC2 Events"
+      ## AWS Superseded EBS Volumes
+      paramPermsAWSSupersededEBSVolumes:
+        default: "Permissions for Policy Template: AWS Superseded EBS Volumes"
+      ## AWS Superseded EC2 Instances
+      paramPermsAWSSupersededEC2Instances:
+        default: "Permissions for Policy Template: AWS Superseded EC2 Instances"
+      ## AWS Tag Cardinality Report
       paramPermsAWSTagCardinalityReport:
         default: "Permissions for Policy Template: AWS Tag Cardinality Report"
+      ## AWS Unencrypted EBS Volumes
+      paramPermsAWSUnencryptedEBSVolumes:
+        default: "Permissions for Policy Template: AWS Unencrypted EBS Volumes"
+      ## AWS Unencrypted RDS Instances
+      paramPermsAWSUnencryptedRDSInstances:
+        default: "Permissions for Policy Template: AWS Unencrypted RDS Instances"
+      ## AWS Untagged Resources
       paramPermsAWSUntaggedResources:
         default: "Permissions for Policy Template: AWS Untagged Resources"
+      ## AWS Unused Application Load Balancers
+      paramPermsAWSUnusedApplicationLoadBalancers:
+        default: "Permissions for Policy Template: AWS Unused Application Load Balancers"
+      ## AWS Unused Classic Load Balancers
+      paramPermsAWSUnusedClassicLoadBalancers:
+        default: "Permissions for Policy Template: AWS Unused Classic Load Balancers"
+      ## AWS Unused ECS Clusters
+      paramPermsAWSUnusedECSClusters:
+        default: "Permissions for Policy Template: AWS Unused ECS Clusters"
+      ## AWS Unused IAM Credentials
+      paramPermsAWSUnusedIAMCredentials:
+        default: "Permissions for Policy Template: AWS Unused IAM Credentials"
+      ## AWS Unused IP Addresses
+      paramPermsAWSUnusedIPAddresses:
+        default: "Permissions for Policy Template: AWS Unused IP Addresses"
+      ## AWS Unused Network Load Balancers
+      paramPermsAWSUnusedNetworkLoadBalancers:
+        default: "Permissions for Policy Template: AWS Unused Network Load Balancers"
+      ## AWS VPCs Without FlowLogs Enabled
+      paramPermsAWSVPCsWithoutFlowLogsEnabled:
+        default: "Permissions for Policy Template: AWS VPCs Without FlowLogs Enabled"
+      ## Common Bill Ingestion from AWS S3 Object Storage
+      paramPermsCommonBillIngestionfromAWSS3ObjectStorage:
+        default: "Permissions for Policy Template: Common Bill Ingestion from AWS S3 Object Storage"
+
       # End for each policy template
       paramPermsAttachExistingPolicies:
         default: "Additional IAM Permission Policies for IAM Role"
@@ -123,263 +486,1200 @@ Parameters:
     Default: /
 
   # ParameterGroup: Parameters to define Policy Template permissions on the IAM Role that is created
-  #### For each policy template append:
-  # paramPerms<PolicyTemplateNameNoSpaces>:
-  #   Description: 'What permissions should policies using "<Policy Template Name>" Policy Template be granted on the IAM Role that will be created?'
-  #   Type: String
-  #   Default: Read Only
-  #   AllowedValues:
-  #     - No Access
-  #     - Read Only
-  #     - Read and Take Action
-  paramPermsAWSUnusedVolumes:
-    Description: 'What permissions should policies using "AWS Unused Volumes" Policy Template be granted on the IAM Role that will be created?'
+  ## All AWS Policy Templates
+  paramPermsAllAWSPolicyTemplates:
+    Description: 'What permissions for all AWS Policy Templates should be granted on the AWS Role that will be created? Note that the more granular permissions below only need to be enabled if this option is disabled or you want to grant access to take actions only for specific policy templates.'
     Type: String
     Default: Read Only
     AllowedValues:
-      - No Access
+      - None
       - Read Only
       - Read and Take Action
-  paramPermsAWSRightsizeEBSVolumes:
-    Description: 'What permissions should policies using "AWS Rightsize EBS Volumes" Policy Template be granted on the IAM Role that will be created?'
+  ## AWS Account Credentials
+  paramPermsAWSAccountCredentials:
+    Description: 'What permissions for the "AWS Account Credentials" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Accounts Missing Service Control Policies
+  paramPermsAWSAccountsMissingServiceControlPolicies:
+    Description: 'What permissions for the "AWS Accounts Missing Service Control Policies" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Burstable EC2 Instances
+  paramPermsAWSBurstableEC2Instances:
+    Description: 'What permissions for the "AWS Burstable EC2 Instances" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
       - Read and Take Action
-  paramPermsAWSRightsizeRDSInstances:
-    Description: 'What permissions should policies using "AWS Rightsize RDS Instances" Policy Template be granted on the IAM Role that will be created?'
+  ## AWS CloudTrail Not Enabled In All Regions
+  paramPermsAWSCloudTrailNotEnabledInAllRegions:
+    Description: 'What permissions for the "AWS CloudTrail Not Enabled In All Regions" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS CloudTrail S3 Buckets Without Access Logging
+  paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging:
+    Description: 'What permissions for the "AWS CloudTrail S3 Buckets Without Access Logging" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS CloudTrails Not Integrated With CloudWatch
+  paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch:
+    Description: 'What permissions for the "AWS CloudTrails Not Integrated With CloudWatch" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS CloudTrails With Read Logging Enabled
+  paramPermsAWSCloudTrailsWithReadLoggingEnabled:
+    Description: 'What permissions for the "AWS CloudTrails With Read Logging Enabled" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
       - Read and Take Action
-  paramPermsAWSUnusedIPAddresses:
-    Description: 'What permissions should policies using "AWS Unused IP Addresses" Policy Template be granted on the IAM Role that will be created?'
+  ## AWS CloudTrails Without Encrypted Logs
+  paramPermsAWSCloudTrailsWithoutEncryptedLogs:
+    Description: 'What permissions for the "AWS CloudTrails Without Encrypted Logs" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS CloudTrails Without Log File Validation Enabled
+  paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled:
+    Description: 'What permissions for the "AWS CloudTrails Without Log File Validation Enabled" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS CloudTrails Without Object-level Events Logging Enabled
+  paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled:
+    Description: 'What permissions for the "AWS CloudTrails Without Object-level Events Logging Enabled" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled
+  paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled:
+    Description: 'What permissions for the "AWS Customer Managed Keys (CMKs) Without Rotation Enabled" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
     AllowedValues:
-      - No Access
+      - None
+      - Read Only
+  ## AWS Disallowed Regions
+  paramPermsAWSDisallowedRegions:
+    Description: 'What permissions for the "AWS Disallowed Regions" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
       - Read Only
       - Read and Take Action
-  paramPermsAWSUnusedCLBs:
-    Description: 'What permissions should policies using "AWS Unused Classic Load Balancers" Policy Template be granted on the IAM Role that will be created?'
+  ## AWS EC2 Compute Optimizer Recommendations
+  paramPermsAWSEC2ComputeOptimizerRecommendations:
+    Description: 'What permissions for the "AWS EC2 Compute Optimizer Recommendations" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS EC2 Instances Time Stopped Report
+  paramPermsAWSEC2InstancesTimeStoppedReport:
+    Description: 'What permissions for the "AWS EC2 Instances Time Stopped Report" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS EC2 Instances not running FlexNet Inventory Agent
+  paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent:
+    Description: 'What permissions for the "AWS EC2 Instances not running FlexNet Inventory Agent" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS EKS Clusters Without Spot Instances
+  paramPermsAWSEKSClustersWithoutSpotInstances:
+    Description: 'What permissions for the "AWS EKS Clusters Without Spot Instances" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Elastic Load Balancers With Unencrypted Listeners
+  paramPermsAWSElasticLoadBalancersWithUnencryptedListeners:
+    Description: 'What permissions for the "AWS Elastic Load Balancers With Unencrypted Listeners" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Expiring Savings Plans
+  paramPermsAWSExpiringSavingsPlans:
+    Description: 'What permissions for the "AWS Expiring Savings Plans" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Account Missing Support Role
+  paramPermsAWSIAMAccountMissingSupportRole:
+    Description: 'What permissions for the "AWS IAM Account Missing Support Role" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Attached Admin Policies
+  paramPermsAWSIAMAttachedAdminPolicies:
+    Description: 'What permissions for the "AWS IAM Attached Admin Policies" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Expired SSL/TLS Certificates
+  paramPermsAWSIAMExpiredSSLTLSCertificates:
+    Description: 'What permissions for the "AWS IAM Expired SSL/TLS Certificates" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Insufficient Required Password Length
+  paramPermsAWSIAMInsufficientRequiredPasswordLength:
+    Description: 'What permissions for the "AWS IAM Insufficient Required Password Length" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Password Policy Not Restricting Password Reuse
+  paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse:
+    Description: 'What permissions for the "AWS IAM Password Policy Not Restricting Password Reuse" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Role Audit
+  paramPermsAWSIAMRoleAudit:
+    Description: 'What permissions for the "AWS IAM Role Audit" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Root Account Access Keys
+  paramPermsAWSIAMRootAccountAccessKeys:
+    Description: 'What permissions for the "AWS IAM Root Account Access Keys" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Root User Account Without Hardware MFA
+  paramPermsAWSIAMRootUserAccountWithoutHardwareMFA:
+    Description: 'What permissions for the "AWS IAM Root User Account Without Hardware MFA" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Root User Account Without MFA
+  paramPermsAWSIAMRootUserAccountWithoutMFA:
+    Description: 'What permissions for the "AWS IAM Root User Account Without MFA" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Root User Doing Everyday Tasks
+  paramPermsAWSIAMRootUserDoingEverydayTasks:
+    Description: 'What permissions for the "AWS IAM Root User Doing Everyday Tasks" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM User Accounts Without MFA
+  paramPermsAWSIAMUserAccountsWithoutMFA:
+    Description: 'What permissions for the "AWS IAM User Accounts Without MFA" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Users With Directly-Attached Policies
+  paramPermsAWSIAMUsersWithDirectlyAttachedPolicies:
+    Description: 'What permissions for the "AWS IAM Users With Directly-Attached Policies" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Users With Multiple Active Access Keys
+  paramPermsAWSIAMUsersWithMultipleActiveAccessKeys:
+    Description: 'What permissions for the "AWS IAM Users With Multiple Active Access Keys" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS IAM Users With Old Access Keys
+  paramPermsAWSIAMUsersWithOldAccessKeys:
+    Description: 'What permissions for the "AWS IAM Users With Old Access Keys" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
     AllowedValues:
-      - No Access
+      - None
+      - Read Only
+  ## AWS Idle NAT Gateways
+  paramPermsAWSIdleNATGateways:
+    Description: 'What permissions for the "AWS Idle NAT Gateways" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Internet-Accessible Elastic Load Balancers
+  paramPermsAWSInternetAccessibleElasticLoadBalancers:
+    Description: 'What permissions for the "AWS Internet-Accessible Elastic Load Balancers" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Lambda Functions With High Error Rate
+  paramPermsAWSLambdaFunctionsWithHighErrorRate:
+    Description: 'What permissions for the "AWS Lambda Functions With High Error Rate" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Lambda Functions Without Provisioned Concurrency
+  paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency:
+    Description: 'What permissions for the "AWS Lambda Functions Without Provisioned Concurrency" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Long Running Instances
+  paramPermsAWSLongRunningInstances:
+    Description: 'What permissions for the "AWS Long Running Instances" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Long Stopped EC2 Instances
+  paramPermsAWSLongStoppedEC2Instances:
+    Description: 'What permissions for the "AWS Long Stopped EC2 Instances" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
       - Read Only
       - Read and Take Action
+  ## AWS Missing Regions
+  paramPermsAWSMissingRegions:
+    Description: 'What permissions for the "AWS Missing Regions" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Old Snapshots
   paramPermsAWSOldSnapshots:
-    Description: 'What permissions should policies using "AWS Old Snapshots" Policy Template be granted on the IAM Role that will be created?'
+    Description: 'What permissions for the "AWS Old Snapshots" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Open S3 Buckets
+  paramPermsAWSOpenS3Buckets:
+    Description: 'What permissions for the "AWS Open S3 Buckets" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Oversized S3 Buckets
+  paramPermsAWSOversizedS3Buckets:
+    Description: 'What permissions for the "AWS Oversized S3 Buckets" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
     AllowedValues:
-      - No Access
+      - None
+      - Read Only
+  ## AWS Publicly Accessible CloudTrail S3 Buckets
+  paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets:
+    Description: 'What permissions for the "AWS Publicly Accessible CloudTrail S3 Buckets" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Publicly Accessible RDS Instances
+  paramPermsAWSPubliclyAccessibleRDSInstances:
+    Description: 'What permissions for the "AWS Publicly Accessible RDS Instances" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS RDS Instances With Unapproved Backup Settings
+  paramPermsAWSRDSInstancesWithUnapprovedBackupSettings:
+    Description: 'What permissions for the "AWS RDS Instances With Unapproved Backup Settings" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Regions Without Access Analyzer Enabled
+  paramPermsAWSRegionsWithoutAccessAnalyzerEnabled:
+    Description: 'What permissions for the "AWS Regions Without Access Analyzer Enabled" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Regions Without Config Fully Enabled
+  paramPermsAWSRegionsWithoutConfigFullyEnabled:
+    Description: 'What permissions for the "AWS Regions Without Config Fully Enabled" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Regions Without Default EBS Encryption
+  paramPermsAWSRegionsWithoutDefaultEBSEncryption:
+    Description: 'What permissions for the "AWS Regions Without Default EBS Encryption" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Reserved Instances Coverage
+  paramPermsAWSReservedInstancesCoverage:
+    Description: 'What permissions for the "AWS Reserved Instances Coverage" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Reserved Instances Recommendations
+  paramPermsAWSReservedInstancesRecommendations:
+    Description: 'What permissions for the "AWS Reserved Instances Recommendations" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Rightsize EBS Volumes
+  paramPermsAWSRightsizeEBSVolumes:
+    Description: 'What permissions for the "AWS Rightsize EBS Volumes" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
       - Read Only
       - Read and Take Action
+  ## AWS Rightsize EC2 Instances
   paramPermsAWSRightsizeEC2Instances:
-    Description: 'What permissions should policies using "AWS Rightsize EC2 Instances" Policy Template be granted on the IAM Role that will be created?'
+    Description: 'What permissions for the "AWS Rightsize EC2 Instances" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
       - Read and Take Action
-  paramPermsAWSSupersededEC2Instances:
-    Description: 'What permissions should policies using "AWS Superseded EC2 Instances" Policy Template be granted on the IAM Role that will be created?'
+  ## AWS Rightsize ElastiCache
+  paramPermsAWSRightsizeElastiCache:
+    Description: 'What permissions for the "AWS Rightsize ElastiCache" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
       - Read and Take Action
-  paramPermsAWSReservedInstancesRecommendation:
-    Description: 'What permissions should policies using "AWS Reserved Instances Recommendation" Policy Template be granted on the IAM Role that will be created?'
+  ## AWS Rightsize RDS Instances
+  paramPermsAWSRightsizeRDSInstances:
+    Description: 'What permissions for the "AWS Rightsize RDS Instances" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
-      # - Read and Take Action
-  paramPermsAWSObjectStorageOptimization:
-    Description: 'What permissions should policies using "AWS Object Storage Optimization" Policy Template be granted on the IAM Role that will be created?'
+      - Read and Take Action
+  ## AWS Rightsize Redshift
+  paramPermsAWSRightsizeRedshift:
+    Description: 'What permissions for the "AWS Rightsize Redshift" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
       - Read and Take Action
-  paramPermsAWSExpiringSavingsPlans:
-    Description: 'What permissions should policies using "AWS Expiring Savings Plans" Policy Template be granted on the IAM Role that will be created?'
+  ## AWS S3 Buckets Accepting HTTP Requests
+  paramPermsAWSS3BucketsAcceptingHTTPRequests:
+    Description: 'What permissions for the "AWS S3 Buckets Accepting HTTP Requests" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS S3 Buckets Without Default Encryption Configuration
+  paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration:
+    Description: 'What permissions for the "AWS S3 Buckets Without Default Encryption Configuration" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS S3 Buckets Without Intelligent Tiering
+  paramPermsAWSS3BucketsWithoutIntelligentTiering:
+    Description: 'What permissions for the "AWS S3 Buckets Without Intelligent Tiering" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS S3 Buckets Without Lifecycle Configuration
+  paramPermsAWSS3BucketsWithoutLifecycleConfiguration:
+    Description: 'What permissions for the "AWS S3 Buckets Without Lifecycle Configuration" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
-      # - Read and Take Action
+  ## AWS S3 Buckets Without MFA Delete Enabled
+  paramPermsAWSS3BucketsWithoutMFADeleteEnabled:
+    Description: 'What permissions for the "AWS S3 Buckets Without MFA Delete Enabled" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS S3 Buckets Without Public Access Blocked
+  paramPermsAWSS3BucketsWithoutPublicAccessBlocked:
+    Description: 'What permissions for the "AWS S3 Buckets Without Public Access Blocked" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS S3 Buckets Without Server Access Logging
+  paramPermsAWSS3BucketsWithoutServerAccessLogging:
+    Description: 'What permissions for the "AWS S3 Buckets Without Server Access Logging" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS S3 Incomplete Multi-Part Uploads
+  paramPermsAWSS3IncompleteMultiPartUploads:
+    Description: 'What permissions for the "AWS S3 Incomplete Multi-Part Uploads" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Savings Plan Recommendations
   paramPermsAWSSavingsPlanRecommendations:
-    Description: 'What permissions should policies using "AWS Savings Plan Recommendations" Policy Template be granted on the IAM Role that will be created?'
+    Description: 'What permissions for the "AWS Savings Plan Recommendations" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
-      # - Read and Take Action
+  ## AWS Savings Plan Utilization
   paramPermsAWSSavingsPlanUtilization:
-    Description: 'What permissions should policies using "AWS Savings Plan Utilization" Policy Template be granted on the IAM Role that will be created?'
+    Description: 'What permissions for the "AWS Savings Plan Utilization" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
-      # - Read and Take Action
+  ## AWS Schedule Instance
+  paramPermsAWSScheduleInstance:
+    Description: 'What permissions for the "AWS Schedule Instance" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Scheduled EC2 Events
+  paramPermsAWSScheduledEC2Events:
+    Description: 'What permissions for the "AWS Scheduled EC2 Events" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Superseded EBS Volumes
+  paramPermsAWSSupersededEBSVolumes:
+    Description: 'What permissions for the "AWS Superseded EBS Volumes" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Superseded EC2 Instances
+  paramPermsAWSSupersededEC2Instances:
+    Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Tag Cardinality Report
   paramPermsAWSTagCardinalityReport:
-    Description: 'What permissions should policies using "AWS Tag Cardinality Report" Policy Template be granted on the IAM Role that will be created?'
+    Description: 'What permissions for the "AWS Tag Cardinality Report" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
-      # - Read and Take Action
+  ## AWS Unencrypted EBS Volumes
+  paramPermsAWSUnencryptedEBSVolumes:
+    Description: 'What permissions for the "AWS Unencrypted EBS Volumes" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Unencrypted RDS Instances
+  paramPermsAWSUnencryptedRDSInstances:
+    Description: 'What permissions for the "AWS Unencrypted RDS Instances" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Untagged Resources
   paramPermsAWSUntaggedResources:
-    Description: 'What permissions should policies using "AWS Untagged Resources" Policy Template be granted on the IAM Role that will be created?'
+    Description: 'What permissions for the "AWS Untagged Resources" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    Default: Read Only
+    Default: None
     AllowedValues:
-      - No Access
+      - None
       - Read Only
       - Read and Take Action
-  # End for each policy template
-  paramPermsAttachExistingPolicies:
-    Description: 'Existing IAM Permission Policies to attach to the IAM Role that will be created. Optional, comma separated list of IAM Policy ARNs -- i.e. arn:aws:iam::aws:policy/ReadOnlyAccess'
+  ## AWS Unused Application Load Balancers
+  paramPermsAWSUnusedApplicationLoadBalancers:
+    Description: 'What permissions for the "AWS Unused Application Load Balancers" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
-    #  AWS Managed Policy ARN:      arn:aws:iam::aws:policy/ReadOnlyAccess
-    #  Customer Managed Policy ARN: arn:aws:iam::123456789012:policy/CustomPolicy
-    AllowedPattern: '^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$'
-    ConstraintDescription: 'Malformed IAM Policy ARN.  Must match pattern ^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$'
-
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Unused Classic Load Balancers
+  paramPermsAWSUnusedClassicLoadBalancers:
+    Description: 'What permissions for the "AWS Unused Classic Load Balancers" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Unused ECS Clusters
+  paramPermsAWSUnusedECSClusters:
+    Description: 'What permissions for the "AWS Unused ECS Clusters" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Unused IAM Credentials
+  paramPermsAWSUnusedIAMCredentials:
+    Description: 'What permissions for the "AWS Unused IAM Credentials" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## AWS Unused IP Addresses
+  paramPermsAWSUnusedIPAddresses:
+    Description: 'What permissions for the "AWS Unused IP Addresses" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS Unused Network Load Balancers
+  paramPermsAWSUnusedNetworkLoadBalancers:
+    Description: 'What permissions for the "AWS Unused Network Load Balancers" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+      - Read and Take Action
+  ## AWS VPCs Without FlowLogs Enabled
+  paramPermsAWSVPCsWithoutFlowLogsEnabled:
+    Description: 'What permissions for the "AWS VPCs Without FlowLogs Enabled" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+  ## Common Bill Ingestion from AWS S3 Object Storage
+  paramPermsCommonBillIngestionfromAWSS3ObjectStorage:
+    Description: 'What permissions for the "Common Bill Ingestion from AWS S3 Object Storage" Policy Template should be granted on the AWS Role that will be created?'
+    Type: String
+    Default: None
+    AllowedValues:
+      - None
+      - Read Only
+
+  # End for each policy template
+  paramPermsAttachExistingPolicies:
+    Description: 'Existing IAM Permission Policies to attach to the IAM Role that will be created. Optional, comma separated list of IAM Policy ARNs -- i.e. arn:aws:iam::aws:policy/ReadOnlyAccess'
+    Type: String
+    #  AWS Managed Policy ARN:      arn:aws:iam::aws:policy/ReadOnlyAccess
+    #  Customer Managed Policy ARN: arn:aws:iam::123456789012:policy/CustomPolicy
+    AllowedPattern: '^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$'
+    ConstraintDescription: 'Malformed IAM Policy ARN.  Must match pattern ^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$'
+
 Conditions:
-  #### For each policy template append:
-  # CreatePolicy<PolicyTemplateNameNoSpaces>Read: !Not
-  #   - !Equals
-  #     - !Ref paramPerms<PolicyTemplateNameNoSpaces>
-  #     - No Access
-  # CreatePolicy<PolicyTemplateNameNoSpaces>Action: !Equals
-  #   - !Ref paramPerms<PolicyTemplateNameNoSpaces>
-  #   - Read and Take Action
-  CreatePolicyAWSUnusedVolumesRead: !Not
-    - !Equals
-      - !Ref paramPermsAWSUnusedVolumes
-      - No Access
-  CreatePolicyAWSUnusedVolumesAction: !Equals
-    - !Ref paramPermsAWSUnusedVolumes
+  ## All AWS Policy Templates
+  CreatePolicyAllAWSPolicyTemplatesRead: !Not
+    - !Equals
+      - !Ref paramPermsAllAWSPolicyTemplates
+      - None
+  CreatePolicyAllAWSPolicyTemplatesAction: !Equals
+    - !Ref paramPermsAllAWSPolicyTemplates
     - Read and Take Action
-  CreatePolicyAWSRightsizeEBSVolumesRead: !Not
+  ## AWS Account Credentials
+  CreatePolicyAWSAccountCredentialsRead: !Not
     - !Equals
-      - !Ref paramPermsAWSRightsizeEBSVolumes
-      - No Access
-  CreatePolicyAWSRightsizeEBSVolumesAction: !Equals
-    - !Ref paramPermsAWSRightsizeEBSVolumes
+      - !Ref paramPermsAWSAccountCredentials
+      - None
+  ## AWS Accounts Missing Service Control Policies
+  CreatePolicyAWSAccountsMissingServiceControlPoliciesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSAccountsMissingServiceControlPolicies
+      - None
+  ## AWS Burstable EC2 Instances
+  CreatePolicyAWSBurstableEC2InstancesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSBurstableEC2Instances
+      - None
+  CreatePolicyAWSBurstableEC2InstancesAction: !Equals
+    - !Ref paramPermsAWSBurstableEC2Instances
     - Read and Take Action
-  CreatePolicyAWSRightsizeRDSInstancesRead: !Not
+  ## AWS CloudTrail Not Enabled In All Regions
+  CreatePolicyAWSCloudTrailNotEnabledInAllRegionsRead: !Not
     - !Equals
-      - !Ref paramPermsAWSRightsizeRDSInstances
-      - No Access
-  CreatePolicyAWSRightsizeRDSInstancesAction: !Equals
-    - !Ref paramPermsAWSRightsizeRDSInstances
+      - !Ref paramPermsAWSCloudTrailNotEnabledInAllRegions
+      - None
+  ## AWS CloudTrail S3 Buckets Without Access Logging
+  CreatePolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging
+      - None
+  ## AWS CloudTrails Not Integrated With CloudWatch
+  CreatePolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch
+      - None
+  ## AWS CloudTrails With Read Logging Enabled
+  CreatePolicyAWSCloudTrailsWithReadLoggingEnabledRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSCloudTrailsWithReadLoggingEnabled
+      - None
+  CreatePolicyAWSCloudTrailsWithReadLoggingEnabledAction: !Equals
+    - !Ref paramPermsAWSCloudTrailsWithReadLoggingEnabled
     - Read and Take Action
-  CreatePolicyAWSUnusedIPAddressesRead: !Not
+  ## AWS CloudTrails Without Encrypted Logs
+  CreatePolicyAWSCloudTrailsWithoutEncryptedLogsRead: !Not
     - !Equals
-      - !Ref paramPermsAWSUnusedIPAddresses
-      - No Access
-  CreatePolicyAWSUnusedIPAddressesAction: !Equals
-    - !Ref paramPermsAWSUnusedIPAddresses
+      - !Ref paramPermsAWSCloudTrailsWithoutEncryptedLogs
+      - None
+  ## AWS CloudTrails Without Log File Validation Enabled
+  CreatePolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled
+      - None
+  ## AWS CloudTrails Without Object-level Events Logging Enabled
+  CreatePolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled
+      - None
+  ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled
+  CreatePolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled
+      - None
+  ## AWS Disallowed Regions
+  CreatePolicyAWSDisallowedRegionsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSDisallowedRegions
+      - None
+  CreatePolicyAWSDisallowedRegionsAction: !Equals
+    - !Ref paramPermsAWSDisallowedRegions
+    - Read and Take Action
+  ## AWS EC2 Compute Optimizer Recommendations
+  CreatePolicyAWSEC2ComputeOptimizerRecommendationsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSEC2ComputeOptimizerRecommendations
+      - None
+  CreatePolicyAWSEC2ComputeOptimizerRecommendationsAction: !Equals
+    - !Ref paramPermsAWSEC2ComputeOptimizerRecommendations
+    - Read and Take Action
+  ## AWS EC2 Instances Time Stopped Report
+  CreatePolicyAWSEC2InstancesTimeStoppedReportRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSEC2InstancesTimeStoppedReport
+      - None
+  CreatePolicyAWSEC2InstancesTimeStoppedReportAction: !Equals
+    - !Ref paramPermsAWSEC2InstancesTimeStoppedReport
+    - Read and Take Action
+  ## AWS EC2 Instances not running FlexNet Inventory Agent
+  CreatePolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent
+      - None
+  ## AWS EKS Clusters Without Spot Instances
+  CreatePolicyAWSEKSClustersWithoutSpotInstancesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSEKSClustersWithoutSpotInstances
+      - None
+  ## AWS Elastic Load Balancers With Unencrypted Listeners
+  CreatePolicyAWSElasticLoadBalancersWithUnencryptedListenersRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSElasticLoadBalancersWithUnencryptedListeners
+      - None
+  ## AWS Expiring Savings Plans
+  CreatePolicyAWSExpiringSavingsPlansRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSExpiringSavingsPlans
+      - None
+  ## AWS IAM Account Missing Support Role
+  CreatePolicyAWSIAMAccountMissingSupportRoleRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMAccountMissingSupportRole
+      - None
+  ## AWS IAM Attached Admin Policies
+  CreatePolicyAWSIAMAttachedAdminPoliciesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMAttachedAdminPolicies
+      - None
+  ## AWS IAM Expired SSL/TLS Certificates
+  CreatePolicyAWSIAMExpiredSSLTLSCertificatesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMExpiredSSLTLSCertificates
+      - None
+  ## AWS IAM Insufficient Required Password Length
+  CreatePolicyAWSIAMInsufficientRequiredPasswordLengthRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMInsufficientRequiredPasswordLength
+      - None
+  ## AWS IAM Password Policy Not Restricting Password Reuse
+  CreatePolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse
+      - None
+  ## AWS IAM Role Audit
+  CreatePolicyAWSIAMRoleAuditRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMRoleAudit
+      - None
+  ## AWS IAM Root Account Access Keys
+  CreatePolicyAWSIAMRootAccountAccessKeysRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMRootAccountAccessKeys
+      - None
+  ## AWS IAM Root User Account Without Hardware MFA
+  CreatePolicyAWSIAMRootUserAccountWithoutHardwareMFARead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMRootUserAccountWithoutHardwareMFA
+      - None
+  ## AWS IAM Root User Account Without MFA
+  CreatePolicyAWSIAMRootUserAccountWithoutMFARead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMRootUserAccountWithoutMFA
+      - None
+  ## AWS IAM Root User Doing Everyday Tasks
+  CreatePolicyAWSIAMRootUserDoingEverydayTasksRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMRootUserDoingEverydayTasks
+      - None
+  ## AWS IAM User Accounts Without MFA
+  CreatePolicyAWSIAMUserAccountsWithoutMFARead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMUserAccountsWithoutMFA
+      - None
+  ## AWS IAM Users With Directly-Attached Policies
+  CreatePolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMUsersWithDirectlyAttachedPolicies
+      - None
+  ## AWS IAM Users With Multiple Active Access Keys
+  CreatePolicyAWSIAMUsersWithMultipleActiveAccessKeysRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMUsersWithMultipleActiveAccessKeys
+      - None
+  ## AWS IAM Users With Old Access Keys
+  CreatePolicyAWSIAMUsersWithOldAccessKeysRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIAMUsersWithOldAccessKeys
+      - None
+  ## AWS Idle NAT Gateways
+  CreatePolicyAWSIdleNATGatewaysRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSIdleNATGateways
+      - None
+  CreatePolicyAWSIdleNATGatewaysAction: !Equals
+    - !Ref paramPermsAWSIdleNATGateways
+    - Read and Take Action
+  ## AWS Internet-Accessible Elastic Load Balancers
+  CreatePolicyAWSInternetAccessibleElasticLoadBalancersRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSInternetAccessibleElasticLoadBalancers
+      - None
+  CreatePolicyAWSInternetAccessibleElasticLoadBalancersAction: !Equals
+    - !Ref paramPermsAWSInternetAccessibleElasticLoadBalancers
+    - Read and Take Action
+  ## AWS Lambda Functions With High Error Rate
+  CreatePolicyAWSLambdaFunctionsWithHighErrorRateRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSLambdaFunctionsWithHighErrorRate
+      - None
+  ## AWS Lambda Functions Without Provisioned Concurrency
+  CreatePolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency
+      - None
+  ## AWS Long Running Instances
+  CreatePolicyAWSLongRunningInstancesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSLongRunningInstances
+      - None
+  CreatePolicyAWSLongRunningInstancesAction: !Equals
+    - !Ref paramPermsAWSLongRunningInstances
     - Read and Take Action
-  CreatePolicyAWSUnusedCLBsRead: !Not
-  - !Equals
-    - !Ref paramPermsAWSUnusedCLBs
-    - No Access
-  CreatePolicyAWSUnusedCLBsAction: !Equals
-    - !Ref paramPermsAWSUnusedCLBs
+  ## AWS Long Stopped EC2 Instances
+  CreatePolicyAWSLongStoppedEC2InstancesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSLongStoppedEC2Instances
+      - None
+  CreatePolicyAWSLongStoppedEC2InstancesAction: !Equals
+    - !Ref paramPermsAWSLongStoppedEC2Instances
     - Read and Take Action
+  ## AWS Missing Regions
+  CreatePolicyAWSMissingRegionsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSMissingRegions
+      - None
+  ## AWS Old Snapshots
   CreatePolicyAWSOldSnapshotsRead: !Not
     - !Equals
       - !Ref paramPermsAWSOldSnapshots
-      - No Access
+      - None
   CreatePolicyAWSOldSnapshotsAction: !Equals
     - !Ref paramPermsAWSOldSnapshots
     - Read and Take Action
+  ## AWS Open S3 Buckets
+  CreatePolicyAWSOpenS3BucketsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSOpenS3Buckets
+      - None
+  ## AWS Oversized S3 Buckets
+  CreatePolicyAWSOversizedS3BucketsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSOversizedS3Buckets
+      - None
+  ## AWS Publicly Accessible CloudTrail S3 Buckets
+  CreatePolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets
+      - None
+  ## AWS Publicly Accessible RDS Instances
+  CreatePolicyAWSPubliclyAccessibleRDSInstancesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSPubliclyAccessibleRDSInstances
+      - None
+  CreatePolicyAWSPubliclyAccessibleRDSInstancesAction: !Equals
+    - !Ref paramPermsAWSPubliclyAccessibleRDSInstances
+    - Read and Take Action
+  ## AWS RDS Instances With Unapproved Backup Settings
+  CreatePolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSRDSInstancesWithUnapprovedBackupSettings
+      - None
+  ## AWS Regions Without Access Analyzer Enabled
+  CreatePolicyAWSRegionsWithoutAccessAnalyzerEnabledRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSRegionsWithoutAccessAnalyzerEnabled
+      - None
+  ## AWS Regions Without Config Fully Enabled
+  CreatePolicyAWSRegionsWithoutConfigFullyEnabledRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSRegionsWithoutConfigFullyEnabled
+      - None
+  ## AWS Regions Without Default EBS Encryption
+  CreatePolicyAWSRegionsWithoutDefaultEBSEncryptionRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSRegionsWithoutDefaultEBSEncryption
+      - None
+  ## AWS Reserved Instances Coverage
+  CreatePolicyAWSReservedInstancesCoverageRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSReservedInstancesCoverage
+      - None
+  ## AWS Reserved Instances Recommendations
+  CreatePolicyAWSReservedInstancesRecommendationsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSReservedInstancesRecommendations
+      - None
+  ## AWS Rightsize EBS Volumes
+  CreatePolicyAWSRightsizeEBSVolumesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSRightsizeEBSVolumes
+      - None
+  CreatePolicyAWSRightsizeEBSVolumesAction: !Equals
+    - !Ref paramPermsAWSRightsizeEBSVolumes
+    - Read and Take Action
+  ## AWS Rightsize EC2 Instances
   CreatePolicyAWSRightsizeEC2InstancesRead: !Not
     - !Equals
       - !Ref paramPermsAWSRightsizeEC2Instances
-      - No Access
+      - None
   CreatePolicyAWSRightsizeEC2InstancesAction: !Equals
     - !Ref paramPermsAWSRightsizeEC2Instances
     - Read and Take Action
-  CreatePolicyAWSSupersededEC2InstancesRead: !Not
+  ## AWS Rightsize ElastiCache
+  CreatePolicyAWSRightsizeElastiCacheRead: !Not
     - !Equals
-      - !Ref paramPermsAWSSupersededEC2Instances
-      - No Access
-  CreatePolicyAWSSupersededEC2InstancesAction: !Equals
-    - !Ref paramPermsAWSSupersededEC2Instances
+      - !Ref paramPermsAWSRightsizeElastiCache
+      - None
+  CreatePolicyAWSRightsizeElastiCacheAction: !Equals
+    - !Ref paramPermsAWSRightsizeElastiCache
+    - Read and Take Action
+  ## AWS Rightsize RDS Instances
+  CreatePolicyAWSRightsizeRDSInstancesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSRightsizeRDSInstances
+      - None
+  CreatePolicyAWSRightsizeRDSInstancesAction: !Equals
+    - !Ref paramPermsAWSRightsizeRDSInstances
     - Read and Take Action
-  CreatePolicyAWSReservedInstancesRecommendationRead: !Not
-    - !Equals
-      - !Ref paramPermsAWSReservedInstancesRecommendation
-      - No Access
-  # Policy has no actions currently, commenting out to prevent cfn-lint W8001 Error Condition not used
-  # CreatePolicyAWSReservedInstancesRecommendationAction: !Equals
-  #   - !Ref paramPermsAWSReservedInstancesRecommendation
-  #   - Read and Take Action
-  CreatePolicyAWSObjectStorageOptimizationRead: !Not
-    - !Equals
-      - !Ref paramPermsAWSObjectStorageOptimization
-      - No Access
-  CreatePolicyAWSObjectStorageOptimizationAction: !Equals
-    - !Ref paramPermsAWSObjectStorageOptimization
+  ## AWS Rightsize Redshift
+  CreatePolicyAWSRightsizeRedshiftRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSRightsizeRedshift
+      - None
+  CreatePolicyAWSRightsizeRedshiftAction: !Equals
+    - !Ref paramPermsAWSRightsizeRedshift
     - Read and Take Action
-  CreatePolicyAWSExpiringSavingsPlansRead: !Not
+  ## AWS S3 Buckets Accepting HTTP Requests
+  CreatePolicyAWSS3BucketsAcceptingHTTPRequestsRead: !Not
     - !Equals
-      - !Ref paramPermsAWSExpiringSavingsPlans
-      - No Access
-  # Policy has no actions currently, commenting out to prevent cfn-lint W8001 Error Condition not used
-  # CreatePolicyAWSExpiringSavingsPlansAction: !Equals
-  #   - !Ref paramPermsAWSExpiringSavingsPlans
-  #   - Read and Take Action
+      - !Ref paramPermsAWSS3BucketsAcceptingHTTPRequests
+      - None
+  ## AWS S3 Buckets Without Default Encryption Configuration
+  CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration
+      - None
+  CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationAction: !Equals
+    - !Ref paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration
+    - Read and Take Action
+  ## AWS S3 Buckets Without Intelligent Tiering
+  CreatePolicyAWSS3BucketsWithoutIntelligentTieringRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSS3BucketsWithoutIntelligentTiering
+      - None
+  ## AWS S3 Buckets Without Lifecycle Configuration
+  CreatePolicyAWSS3BucketsWithoutLifecycleConfigurationRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSS3BucketsWithoutLifecycleConfiguration
+      - None
+  ## AWS S3 Buckets Without MFA Delete Enabled
+  CreatePolicyAWSS3BucketsWithoutMFADeleteEnabledRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSS3BucketsWithoutMFADeleteEnabled
+      - None
+  ## AWS S3 Buckets Without Public Access Blocked
+  CreatePolicyAWSS3BucketsWithoutPublicAccessBlockedRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSS3BucketsWithoutPublicAccessBlocked
+      - None
+  ## AWS S3 Buckets Without Server Access Logging
+  CreatePolicyAWSS3BucketsWithoutServerAccessLoggingRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSS3BucketsWithoutServerAccessLogging
+      - None
+  CreatePolicyAWSS3BucketsWithoutServerAccessLoggingAction: !Equals
+    - !Ref paramPermsAWSS3BucketsWithoutServerAccessLogging
+    - Read and Take Action
+  ## AWS S3 Incomplete Multi-Part Uploads
+  CreatePolicyAWSS3IncompleteMultiPartUploadsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSS3IncompleteMultiPartUploads
+      - None
+  CreatePolicyAWSS3IncompleteMultiPartUploadsAction: !Equals
+    - !Ref paramPermsAWSS3IncompleteMultiPartUploads
+    - Read and Take Action
+  ## AWS Savings Plan Recommendations
   CreatePolicyAWSSavingsPlanRecommendationsRead: !Not
     - !Equals
       - !Ref paramPermsAWSSavingsPlanRecommendations
-      - No Access
-  # Policy has no actions currently, commenting out to prevent cfn-lint W8001 Error Condition not used
-  # CreatePolicyAWSSavingsPlanRecommendationsAction: !Equals
-  #   - !Ref paramPermsAWSSavingsPlanRecommendations
-  #   - Read and Take Action
+      - None
+  ## AWS Savings Plan Utilization
   CreatePolicyAWSSavingsPlanUtilizationRead: !Not
     - !Equals
       - !Ref paramPermsAWSSavingsPlanUtilization
-      - No Access
-  # Policy has no actions currently, commenting out to prevent cfn-lint W8001 Error Condition not used
-  # CreatePolicyAWSSavingsPlanUtilizationAction: !Equals
-  #   - !Ref paramPermsAWSSavingsPlanUtilization
-  #   - Read and Take Action
+      - None
+  ## AWS Schedule Instance
+  CreatePolicyAWSScheduleInstanceRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSScheduleInstance
+      - None
+  ## AWS Scheduled EC2 Events
+  CreatePolicyAWSScheduledEC2EventsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSScheduledEC2Events
+      - None
+  ## AWS Superseded EBS Volumes
+  CreatePolicyAWSSupersededEBSVolumesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSSupersededEBSVolumes
+      - None
+  CreatePolicyAWSSupersededEBSVolumesAction: !Equals
+    - !Ref paramPermsAWSSupersededEBSVolumes
+    - Read and Take Action
+  ## AWS Superseded EC2 Instances
+  CreatePolicyAWSSupersededEC2InstancesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSSupersededEC2Instances
+      - None
+  CreatePolicyAWSSupersededEC2InstancesAction: !Equals
+    - !Ref paramPermsAWSSupersededEC2Instances
+    - Read and Take Action
+  ## AWS Tag Cardinality Report
   CreatePolicyAWSTagCardinalityReportRead: !Not
     - !Equals
       - !Ref paramPermsAWSTagCardinalityReport
-      - No Access
-  # Policy has no actions currently, commenting out to prevent cfn-lint W8001 Error Condition not used
-  # CreatePolicyAWSTagCardinalityReportAction: !Equals
-  #   - !Ref paramPermsAWSTagCardinalityReport
-  #   - Read and Take Action
+      - None
+  ## AWS Unencrypted EBS Volumes
+  CreatePolicyAWSUnencryptedEBSVolumesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSUnencryptedEBSVolumes
+      - None
+  ## AWS Unencrypted RDS Instances
+  CreatePolicyAWSUnencryptedRDSInstancesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSUnencryptedRDSInstances
+      - None
+  CreatePolicyAWSUnencryptedRDSInstancesAction: !Equals
+    - !Ref paramPermsAWSUnencryptedRDSInstances
+    - Read and Take Action
+  ## AWS Untagged Resources
   CreatePolicyAWSUntaggedResourcesRead: !Not
     - !Equals
       - !Ref paramPermsAWSUntaggedResources
-      - No Access
+      - None
   CreatePolicyAWSUntaggedResourcesAction: !Equals
     - !Ref paramPermsAWSUntaggedResources
     - Read and Take Action
+  ## AWS Unused Application Load Balancers
+  CreatePolicyAWSUnusedApplicationLoadBalancersRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSUnusedApplicationLoadBalancers
+      - None
+  CreatePolicyAWSUnusedApplicationLoadBalancersAction: !Equals
+    - !Ref paramPermsAWSUnusedApplicationLoadBalancers
+    - Read and Take Action
+  ## AWS Unused Classic Load Balancers
+  CreatePolicyAWSUnusedClassicLoadBalancersRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSUnusedClassicLoadBalancers
+      - None
+  CreatePolicyAWSUnusedClassicLoadBalancersAction: !Equals
+    - !Ref paramPermsAWSUnusedClassicLoadBalancers
+    - Read and Take Action
+  ## AWS Unused ECS Clusters
+  CreatePolicyAWSUnusedECSClustersRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSUnusedECSClusters
+      - None
+  CreatePolicyAWSUnusedECSClustersAction: !Equals
+    - !Ref paramPermsAWSUnusedECSClusters
+    - Read and Take Action
+  ## AWS Unused IAM Credentials
+  CreatePolicyAWSUnusedIAMCredentialsRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSUnusedIAMCredentials
+      - None
+  ## AWS Unused IP Addresses
+  CreatePolicyAWSUnusedIPAddressesRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSUnusedIPAddresses
+      - None
+  CreatePolicyAWSUnusedIPAddressesAction: !Equals
+    - !Ref paramPermsAWSUnusedIPAddresses
+    - Read and Take Action
+  ## AWS Unused Network Load Balancers
+  CreatePolicyAWSUnusedNetworkLoadBalancersRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSUnusedNetworkLoadBalancers
+      - None
+  CreatePolicyAWSUnusedNetworkLoadBalancersAction: !Equals
+    - !Ref paramPermsAWSUnusedNetworkLoadBalancers
+    - Read and Take Action
+  ## AWS VPCs Without FlowLogs Enabled
+  CreatePolicyAWSVPCsWithoutFlowLogsEnabledRead: !Not
+    - !Equals
+      - !Ref paramPermsAWSVPCsWithoutFlowLogsEnabled
+      - None
+  ## Common Bill Ingestion from AWS S3 Object Storage
+  CreatePolicyCommonBillIngestionfromAWSS3ObjectStorageRead: !Not
+    - !Equals
+      - !Ref paramPermsCommonBillIngestionfromAWSS3ObjectStorage
+      - None
+
   # End for each policy template
   ValueProvidedparamPermsAttachExistingPolicies: !Not
     - !Equals
@@ -399,62 +1699,440 @@ Mappings:
   PermissionMap:
     # Begin IAM Permissions Map
     # Expect 2 lists for each Policy Template (read and action)
-    #### For each policy template append:
-    # <PolicyTemplateNameNoSpaces>:
-    #   read:
-    #     - "<IAM Permission>"
-    #   action:
-    #     - "<IAM Permission>"
-    AWSUnusedVolumes:
+    ## All AWS Policy Templates
+    AllAWSPolicyTemplates:
       read:
-        - "ec2:DescribeRegions"
-        - "ec2:DescribeVolumes"
-        - "ec2:DescribeSnapshots"
-        - "cloudwatch:GetMetricStatistics"
+        - "access-analyzer:ListAnalyzers"
+        - "ce:GetReservationCoverage"
+        - "ce:GetReservationPurchaseRecommendation"
+        - "ce:GetSavingsPlansPurchaseRecommendation"
+        - "ce:GetSavingsPlansUtilization"
+        - "cloudtrail:DescribeTrails"
+        - "cloudtrail:GetEventSelectors"
+        - "cloudtrail:GetTrailStatus"
+        - "cloudtrail:LookupEvents"
         - "cloudwatch:GetMetricData"
-      action:
+        - "cloudwatch:GetMetricStatistics"
+        - "cloudwatch:ListMetrics"
+        - "compute-optimizer:GetEC2InstanceRecommendations"
+        - "config:DescribeConfigurationRecorderStatus"
         - "ec2:CreateTags"
-        - "ec2:CreateSnapshot"
-        - "ec2:DetachVolume"
-        - "ec2:DeleteVolume"
-    AWSRightsizeEBSVolumes:
-      read:
+        - "ec2:DeleteTags"
+        - "ec2:DescribeAddresses"
+        - "ec2:DescribeFlowLogs"
+        - "ec2:DescribeImages"
+        - "ec2:DescribeInstanceStatus"
+        - "ec2:DescribeInstances"
+        - "ec2:DescribeNatGateways"
         - "ec2:DescribeRegions"
+        - "ec2:DescribeSnapshots"
+        - "ec2:DescribeTags"
         - "ec2:DescribeVolumes"
+        - "ec2:DescribeVpcs"
+        - "ec2:GetEbsEncryptionByDefault"
+        - "ec2:StartInstances"
+        - "ec2:StopInstances"
+        - "ec2:TerminateInstances"
+        - "ecs:DescribeClusters"
+        - "ecs:ListClusters"
+        - "eks:DescribeCluster"
+        - "eks:DescribeNodegroup"
+        - "eks:ListClusters"
+        - "eks:ListNodegroups"
+        - "elasticache:DescribeCacheClusters"
+        - "elasticache:ListTagsForResource"
+        - "elasticloadbalancing:DescribeInstanceHealth"
+        - "elasticloadbalancing:DescribeListeners"
+        - "elasticloadbalancing:DescribeLoadBalancers"
+        - "elasticloadbalancing:DescribeTags"
+        - "elasticloadbalancing:DescribeTargetGroups"
+        - "elasticloadbalancing:DescribeTargetHealth"
+        - "iam:GenerateCredentialReport"
+        - "iam:GetAccountPasswordPolicy"
+        - "iam:GetAccountSummary"
+        - "iam:GetCredentialReport"
+        - "iam:GetPolicyVersion"
+        - "iam:ListAccessKeys"
+        - "iam:ListAttachedUserPolicies"
+        - "iam:ListEntitiesForPolicy"
+        - "iam:ListPolicies"
+        - "iam:ListRoleTags"
+        - "iam:ListRoles"
+        - "iam:ListServerCertificates"
+        - "iam:ListUserPolicies"
+        - "iam:ListUsers"
+        - "iam:ListVirtualMFADevices"
+        - "kms:CreateGrant"
+        - "kms:Decrypt"
+        - "kms:GetKeyRotationStatus"
+        - "kms:ListKeys"
+        - "lambda:ListFunctions"
+        - "lambda:ListProvisionedConcurrencyConfigs"
+        - "lambda:ListTags"
+        - "lambda:ListVersionsByFunction"
+        - "organizations:ListAccounts"
+        - "organizations:ListPolicies"
+        - "organizations:ListPoliciesForTarget"
+        - "organizations:ListTagsForResource"
         - "pricing:GetProducts"
+        - "rds:DescribeDBClusterSnapshots"
+        - "rds:DescribeDBClusters"
+        - "rds:DescribeDBInstances"
+        - "rds:DescribeDBSnapshots"
+        - "rds:DescribeOrderableDBInstanceOptions"
+        - "rds:ListTagsForResource"
+        - "redshift:DescribeClusters"
+        - "s3:GetBucketAcl"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketLogging"
+        - "s3:GetBucketPolicy"
+        - "s3:GetBucketPublicAccessBlock"
+        - "s3:GetBucketTagging"
+        - "s3:GetBucketVersioning"
+        - "s3:GetEncryptionConfiguration"
+        - "s3:GetIntelligentTieringConfiguration"
+        - "s3:GetLifecycleConfiguration"
+        - "s3:GetObject"
+        - "s3:ListAllMyBuckets"
+        - "s3:ListBucketMultipartUploads"
+        - "s3:ListMultipartUploadParts"
+        - "savingsplans:DescribeSavingsPlans"
+        - "sts:GetCallerIdentity"
+        - "tag:GetResources"
       action:
+        - "cloudtrail:PutEventSelectors"
+        - "ec2:DeleteNatGateway"
+        - "ec2:DeleteSnapshot"
+        - "ec2:DeregisterImage"
+        - "ec2:DescribeInstanceStatus"
+        - "ec2:ModifyInstanceAttribute"
         - "ec2:ModifyVolume"
-    AWSRightsizeRDSInstances:
+        - "ec2:ReleaseAddress"
+        - "ec2:StartInstances"
+        - "ec2:StopInstances"
+        - "ec2:TerminateInstances"
+        - "ecs:DeleteCluster"
+        - "elasticache:ModifyCacheCluster"
+        - "elasticloadbalancing:DeleteLoadBalancer"
+        - "organizations:TagResource"
+        - "rds:DeleteDBClusterSnapshot"
+        - "rds:DeleteDBInstance"
+        - "rds:DeleteDBSnapshot"
+        - "rds:ModifyDBInstance"
+        - "redshift:ModifyCluster"
+        - "s3:AbortMultipartUpload"
+        - "s3:DeleteBucket"
+        - "s3:PutBucketLogging"
+        - "s3:PutEncryptionConfiguration"
+        - "tag:TagResources"
+    ## AWS Account Credentials
+    AWSAccountCredentials:
+      read:
+        - "sts:GetCallerIdentity"
+      action: []
+    ## AWS Accounts Missing Service Control Policies
+    AWSAccountsMissingServiceControlPolicies:
+      read:
+        - "organizations:ListPolicies"
+        - "organizations:ListAccounts"
+        - "organizations:ListPoliciesForTarget"
+      action: []
+    ## AWS Burstable EC2 Instances
+    AWSBurstableEC2Instances:
       read:
         - "sts:GetCallerIdentity"
-        - "cloudwatch:GetMetricStatistics"
         - "cloudwatch:GetMetricData"
+        - "cloudwatch:ListMetrics"
         - "ec2:DescribeRegions"
-        - "rds:DescribeDBInstances"
-        - "rds:ListTagsForResource"
-        - "rds:DescribeOrderableDBInstanceOptions"
+        - "ec2:DescribeInstances"
+        - "ec2:DescribeTags"
       action:
-        - "rds:ModifyDBInstance"
-        - "rds:DeleteDBInstance"
-    AWSUnusedIPAddresses:
+        - "ec2:DescribeInstanceStatus"
+        - "ec2:ModifyInstanceAttribute"
+        - "ec2:StartInstances"
+        - "ec2:StopInstances"
+    ## AWS CloudTrail Not Enabled In All Regions
+    AWSCloudTrailNotEnabledInAllRegions:
       read:
-        - "ec2:DescribeRegions"
-        - "ec2:DescribeAddresses"
-        - "pricing:GetProducts"
         - "sts:GetCallerIdentity"
-        - "cloudtrail:LookupEvents"
-      action:
-        - "ec2:ReleaseAddress"
-    AWSUnusedCLBs:
+        - "cloudtrail:DescribeTrails"
+        - "cloudtrail:GetTrailStatus"
+        - "cloudtrail:GetEventSelectors"
+      action: []
+    ## AWS CloudTrail S3 Buckets Without Access Logging
+    AWSCloudTrailS3BucketsWithoutAccessLogging:
       read:
         - "sts:GetCallerIdentity"
-        - "ec2:DescribeRegions"
-        - "elasticloadbalancing:DescribeLoadBalancers"
-        - "elasticloadbalancing:DescribeInstanceHealth"
-        - "elasticloadbalancing:DescribeTags"
-      action:
-        - "elasticloadbalancing:DeleteLoadBalancer"
-    AWSOldSnapshots:
+        - "cloudtrail:DescribeTrails"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketLogging"
+      action: []
+    ## AWS CloudTrails Not Integrated With CloudWatch
+    AWSCloudTrailsNotIntegratedWithCloudWatch:
+      read:
+        - "sts:GetCallerIdentity"
+        - "cloudtrail:DescribeTrails"
+        - "cloudtrail:GetTrailStatus"
+      action: []
+    ## AWS CloudTrails With Read Logging Enabled
+    AWSCloudTrailsWithReadLoggingEnabled:
+      read:
+        - "sts:GetCallerIdentity"
+        - "cloudtrail:DescribeTrails"
+        - "cloudtrail:GetEventSelectors"
+      action:
+        - "cloudtrail:PutEventSelectors"
+    ## AWS CloudTrails Without Encrypted Logs
+    AWSCloudTrailsWithoutEncryptedLogs:
+      read:
+        - "sts:GetCallerIdentity"
+        - "cloudtrail:DescribeTrails"
+      action: []
+    ## AWS CloudTrails Without Log File Validation Enabled
+    AWSCloudTrailsWithoutLogFileValidationEnabled:
+      read:
+        - "sts:GetCallerIdentity"
+        - "cloudtrail:DescribeTrails"
+      action: []
+    ## AWS CloudTrails Without Object-level Events Logging Enabled
+    AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled:
+      read:
+        - "sts:GetCallerIdentity"
+        - "cloudtrail:DescribeTrails"
+        - "cloudtrail:GetEventSelectors"
+      action: []
+    ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled
+    AWSCustomerManagedKeysCMKsWithoutRotationEnabled:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "kms:ListKeys"
+        - "kms:GetKeyRotationStatus"
+      action: []
+    ## AWS Disallowed Regions
+    AWSDisallowedRegions:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeInstances"
+      action:
+        - "ec2:StopInstances"
+        - "ec2:TerminateInstances"
+    ## AWS EC2 Compute Optimizer Recommendations
+    AWSEC2ComputeOptimizerRecommendations:
+      read:
+        - "sts:GetCallerIdentity"
+        - "compute-optimizer:GetEC2InstanceRecommendations"
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeInstances"
+      action:
+        - "ec2:ModifyInstanceAttribute"
+        - "ec2:StartInstances"
+        - "ec2:StopInstances"
+    ## AWS EC2 Instances Time Stopped Report
+    AWSEC2InstancesTimeStoppedReport:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeInstances"
+        - "sts:GetCallerIdentity"
+      action:
+        - "ec2:DescribeInstanceStatus"
+        - "ec2:StopInstances"
+        - "ec2:TerminateInstances"
+    ## AWS EC2 Instances not running FlexNet Inventory Agent
+    AWSEC2InstancesnotrunningFlexNetInventoryAgent:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeInstances"
+      action: []
+    ## AWS EKS Clusters Without Spot Instances
+    AWSEKSClustersWithoutSpotInstances:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "eks:ListClusters"
+        - "eks:ListNodegroups"
+        - "eks:DescribeCluster"
+        - "eks:DescribeNodegroup"
+      action: []
+    ## AWS Elastic Load Balancers With Unencrypted Listeners
+    AWSElasticLoadBalancersWithUnencryptedListeners:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "elasticloadbalancing:DescribeLoadBalancers"
+        - "elasticloadbalancing:DescribeTags"
+        - "elasticloadbalancing:DescribeListeners"
+      action: []
+    ## AWS Expiring Savings Plans
+    AWSExpiringSavingsPlans:
+      read:
+        - "savingsplans:DescribeSavingsPlans"
+      action: []
+    ## AWS IAM Account Missing Support Role
+    AWSIAMAccountMissingSupportRole:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:ListPolicies"
+        - "iam:ListEntitiesForPolicy"
+      action: []
+    ## AWS IAM Attached Admin Policies
+    AWSIAMAttachedAdminPolicies:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:ListPolicies"
+        - "iam:GetPolicyVersion"
+      action: []
+    ## AWS IAM Expired SSL/TLS Certificates
+    AWSIAMExpiredSSLTLSCertificates:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:ListServerCertificates"
+      action: []
+    ## AWS IAM Insufficient Required Password Length
+    AWSIAMInsufficientRequiredPasswordLength:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GetAccountPasswordPolicy"
+      action: []
+    ## AWS IAM Password Policy Not Restricting Password Reuse
+    AWSIAMPasswordPolicyNotRestrictingPasswordReuse:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GetAccountPasswordPolicy"
+      action: []
+    ## AWS IAM Role Audit
+    AWSIAMRoleAudit:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:ListRoles"
+        - "iam:ListRoleTags"
+      action: []
+    ## AWS IAM Root Account Access Keys
+    AWSIAMRootAccountAccessKeys:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GetAccountSummary"
+      action: []
+    ## AWS IAM Root User Account Without Hardware MFA
+    AWSIAMRootUserAccountWithoutHardwareMFA:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GetAccountSummary"
+        - "iam:ListVirtualMFADevices"
+      action: []
+    ## AWS IAM Root User Account Without MFA
+    AWSIAMRootUserAccountWithoutMFA:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GetAccountSummary"
+        - "iam:ListVirtualMFADevices"
+      action: []
+    ## AWS IAM Root User Doing Everyday Tasks
+    AWSIAMRootUserDoingEverydayTasks:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GenerateCredentialReport"
+        - "iam:GetCredentialReport"
+      action: []
+    ## AWS IAM User Accounts Without MFA
+    AWSIAMUserAccountsWithoutMFA:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GenerateCredentialReport"
+        - "iam:GetCredentialReport"
+      action: []
+    ## AWS IAM Users With Directly-Attached Policies
+    AWSIAMUsersWithDirectlyAttachedPolicies:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:ListUsers"
+        - "iam:ListUserPolicies"
+        - "iam:ListAttachedUserPolicies"
+      action: []
+    ## AWS IAM Users With Multiple Active Access Keys
+    AWSIAMUsersWithMultipleActiveAccessKeys:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:ListUsers"
+        - "iam:ListAccessKeys"
+      action: []
+    ## AWS IAM Users With Old Access Keys
+    AWSIAMUsersWithOldAccessKeys:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GenerateCredentialReport"
+        - "iam:GetCredentialReport"
+      action: []
+    ## AWS Idle NAT Gateways
+    AWSIdleNATGateways:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeNatGateways"
+        - "sts:GetCallerIdentity"
+      action:
+        - "ec2:DeleteNatGateway"
+    ## AWS Internet-Accessible Elastic Load Balancers
+    AWSInternetAccessibleElasticLoadBalancers:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "elasticloadbalancing:DescribeLoadBalancers"
+        - "elasticloadbalancing:DescribeTags"
+        - "elasticloadbalancing:DescribeListeners"
+      action:
+        - "elasticloadbalancing:DeleteLoadBalancer"
+    ## AWS Lambda Functions With High Error Rate
+    AWSLambdaFunctionsWithHighErrorRate:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "lambda:ListFunctions"
+        - "lambda:ListTags"
+        - "cloudwatch:ListMetrics"
+        - "cloudwatch:GetMetricData"
+      action: []
+    ## AWS Lambda Functions Without Provisioned Concurrency
+    AWSLambdaFunctionsWithoutProvisionedConcurrency:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "lambda:ListFunctions"
+        - "lambda:ListTags"
+        - "lambda:ListProvisionedConcurrencyConfigs"
+        - "lambda:ListVersionsByFunction"
+      action: []
+    ## AWS Long Running Instances
+    AWSLongRunningInstances:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeInstances"
+        - "sts:GetCallerIdentity"
+      action:
+        - "ec2:DescribeInstanceStatus"
+        - "ec2:StopInstances"
+        - "ec2:TerminateInstances"
+    ## AWS Long Stopped EC2 Instances
+    AWSLongStoppedEC2Instances:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeInstances"
+        - "cloudwatch:GetMetricStatistics"
+        - "cloudwatch:GetMetricData"
+        - "cloudwatch:ListMetrics"
+        - "sts:GetCallerIdentity"
+      action:
+        - "ec2:DescribeInstanceStatus"
+        - "ec2:TerminateInstances"
+    ## AWS Missing Regions
+    AWSMissingRegions:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeInstances"
+        - "sts:GetCallerIdentity"
+      action: []
+    ## AWS Old Snapshots
+    AWSOldSnapshots:
       read:
         - "ec2:DescribeRegions"
         - "ec2:DescribeImages"
@@ -470,6 +2148,91 @@ Mappings:
         - "ec2:DeleteSnapshot"
         - "rds:DeleteDBClusterSnapshot"
         - "rds:DeleteDBSnapshot"
+    ## AWS Open S3 Buckets
+    AWSOpenS3Buckets:
+      read:
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketAcl"
+        - "sts:GetCallerIdentity"
+      action: []
+    ## AWS Oversized S3 Buckets
+    AWSOversizedS3Buckets:
+      read:
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketTagging"
+        - "cloudwatch:ListMetrics"
+        - "cloudwatch:GetMetricData"
+        - "sts:GetCallerIdentity"
+      action: []
+    ## AWS Publicly Accessible CloudTrail S3 Buckets
+    AWSPubliclyAccessibleCloudTrailS3Buckets:
+      read:
+        - "sts:GetCallerIdentity"
+        - "cloudtrail:DescribeTrails"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketAcl"
+        - "s3:GetBucketPolicy"
+      action: []
+    ## AWS Publicly Accessible RDS Instances
+    AWSPubliclyAccessibleRDSInstances:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "rds:DescribeDBInstances"
+        - "rds:ListTagsForResource"
+      action:
+        - "rds:ModifyDBInstance"
+        - "rds:DeleteDBInstance"
+    ## AWS RDS Instances With Unapproved Backup Settings
+    AWSRDSInstancesWithUnapprovedBackupSettings:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "rds:DescribeDBInstances"
+        - "rds:ListTagsForResource"
+      action: []
+    ## AWS Regions Without Access Analyzer Enabled
+    AWSRegionsWithoutAccessAnalyzerEnabled:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "access-analyzer:ListAnalyzers"
+      action: []
+    ## AWS Regions Without Config Fully Enabled
+    AWSRegionsWithoutConfigFullyEnabled:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "config:DescribeConfigurationRecorderStatus"
+      action: []
+    ## AWS Regions Without Default EBS Encryption
+    AWSRegionsWithoutDefaultEBSEncryption:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "ec2:GetEbsEncryptionByDefault"
+      action: []
+    ## AWS Reserved Instances Coverage
+    AWSReservedInstancesCoverage:
+      read:
+        - "ce:GetReservationCoverage"
+      action: []
+    ## AWS Reserved Instances Recommendations
+    AWSReservedInstancesRecommendations:
+      read:
+        - "ce:GetReservationPurchaseRecommendation"
+      action: []
+    ## AWS Rightsize EBS Volumes
+    AWSRightsizeEBSVolumes:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeVolumes"
+        - "pricing:GetProducts"
+      action:
+        - "ec2:ModifyVolume"
+    ## AWS Rightsize EC2 Instances
     AWSRightsizeEC2Instances:
       read:
         - "ec2:DescribeRegions"
@@ -485,61 +2248,275 @@ Mappings:
         - "ec2:StartInstances"
         - "ec2:StopInstances"
         - "ec2:TerminateInstances"
-    AWSSupersededEC2Instances:
+    ## AWS Rightsize ElastiCache
+    AWSRightsizeElastiCache:
       read:
+        - "sts:GetCallerIdentity"
+        - "cloudwatch:GetMetricData"
         - "ec2:DescribeRegions"
-        - "ec2:DescribeInstances"
-        - "ec2:DescribeTags"
+        - "elasticache:DescribeCacheClusters"
+        - "elasticache:ListTagsForResource"
+      action:
+        - "elasticache:ModifyCacheCluster"
+    ## AWS Rightsize RDS Instances
+    AWSRightsizeRDSInstances:
+      read:
         - "sts:GetCallerIdentity"
+        - "cloudwatch:GetMetricStatistics"
+        - "cloudwatch:GetMetricData"
+        - "ec2:DescribeRegions"
+        - "rds:DescribeDBInstances"
+        - "rds:ListTagsForResource"
+        - "rds:DescribeOrderableDBInstanceOptions"
       action:
-        - "ec2:DescribeInstanceStatus"
-        - "ec2:ModifyInstanceAttribute"
-        - "ec2:StartInstances"
-        - "ec2:StopInstances"
-    AWSReservedInstancesRecommendation:
+        - "rds:ModifyDBInstance"
+        - "rds:DeleteDBInstance"
+    ## AWS Rightsize Redshift
+    AWSRightsizeRedshift:
       read:
-        - "ce:GetReservationPurchaseRecommendation"
+        - "sts:GetCallerIdentity"
+        - "cloudwatch:GetMetricData"
+        - "ec2:DescribeRegions"
+        - "redshift:DescribeClusters"
+      action:
+        - "redshift:ModifyCluster"
+    ## AWS S3 Buckets Accepting HTTP Requests
+    AWSS3BucketsAcceptingHTTPRequests:
+      read:
+        - "sts:GetCallerIdentity"
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketTagging"
+        - "s3:GetBucketPolicy"
       action: []
-    AWSObjectStorageOptimization:
+    ## AWS S3 Buckets Without Default Encryption Configuration
+    AWSS3BucketsWithoutDefaultEncryptionConfiguration:
       read:
         - "sts:GetCallerIdentity"
         - "s3:ListAllMyBuckets"
         - "s3:GetBucketLocation"
-        - "s3:ListBucket"
-        - "s3:GetObject"
-        - "s3:GetObjectTagging"
+        - "s3:GetBucketTagging"
+        - "s3:GetEncryptionConfiguration"
       action:
-        - "s3:PutObject"
-        - "s3:DeleteObject"
-    AWSExpiringSavingsPlans:
+        - "s3:PutEncryptionConfiguration"
+        - "s3:DeleteBucket"
+    ## AWS S3 Buckets Without Intelligent Tiering
+    AWSS3BucketsWithoutIntelligentTiering:
       read:
-        - "savingsplans:DescribeSavingsPlans"
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketTagging"
+        - "s3:GetIntelligentTieringConfiguration"
+        - "sts:GetCallerIdentity"
       action: []
-    AWSSavingsPlanRecommendations:
+    ## AWS S3 Buckets Without Lifecycle Configuration
+    AWSS3BucketsWithoutLifecycleConfiguration:
       read:
-        - "ce:GetSavingsPlansPurchaseRecommendation"
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketTagging"
+        - "s3:GetLifecycleConfiguration"
+        - "sts:GetCallerIdentity"
       action: []
-    AWSSavingsPlanUtilization:
+    ## AWS S3 Buckets Without MFA Delete Enabled
+    AWSS3BucketsWithoutMFADeleteEnabled:
       read:
-        - "ce:GetSavingsPlansUtilization"
-        - "savingsplans:DescribeSavingsPlans"
+        - "sts:GetCallerIdentity"
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketTagging"
+        - "s3:GetBucketVersioning"
       action: []
-    AWSTagCardinalityReport:
+    ## AWS S3 Buckets Without Public Access Blocked
+    AWSS3BucketsWithoutPublicAccessBlocked:
       read:
-        - "tag:GetResources"
-        - "ec2:DescribeRegions"
-        - "organizations:ListAccounts"
-        - "organizations:ListTagsForResource"
+        - "sts:GetCallerIdentity"
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketTagging"
+        - "s3:GetBucketPublicAccessBlock"
       action: []
-    AWSUntaggedResources:
+    ## AWS S3 Buckets Without Server Access Logging
+    AWSS3BucketsWithoutServerAccessLogging:
+      read:
+        - "sts:GetCallerIdentity"
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketTagging"
+        - "s3:GetBucketLogging"
+      action:
+        - "s3:PutBucketLogging"
+    ## AWS S3 Incomplete Multi-Part Uploads
+    AWSS3IncompleteMultiPartUploads:
+      read:
+        - "sts:GetCallerIdentity"
+        - "s3:ListAllMyBuckets"
+        - "s3:GetBucketLocation"
+        - "s3:GetBucketTagging"
+        - "s3:ListBucketMultipartUploads"
+        - "s3:ListMultipartUploadParts"
+      action:
+        - "s3:AbortMultipartUpload"
+    ## AWS Savings Plan Recommendations
+    AWSSavingsPlanRecommendations:
+      read:
+        - "ce:GetSavingsPlansPurchaseRecommendation"
+      action: []
+    ## AWS Savings Plan Utilization
+    AWSSavingsPlanUtilization:
+      read:
+        - "ce:GetSavingsPlansUtilization"
+        - "savingsplans:DescribeSavingsPlans"
+      action: []
+    ## AWS Schedule Instance
+    AWSScheduleInstance:
+      read:
+        - "ec2:DescribeInstances"
+        - "ec2:StartInstances"
+        - "ec2:StopInstances"
+        - "ec2:DeleteTags"
+        - "ec2:DescribeRegions"
+        - "kms:CreateGrant"
+        - "kms:Decrypt"
+        - "ec2:CreateTags"
+        - "ec2:TerminateInstances"
+      action: []
+    ## AWS Scheduled EC2 Events
+    AWSScheduledEC2Events:
+      read:
+        - "ec2:DescribeInstances"
+        - "ec2:DescribeInstanceStatus"
+        - "ec2:DescribeRegions"
+        - "sts:GetCallerIdentity"
+      action: []
+    ## AWS Superseded EBS Volumes
+    AWSSupersededEBSVolumes:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeVolumes"
+        - "pricing:GetProducts"
+      action:
+        - "ec2:ModifyVolume"
+    ## AWS Superseded EC2 Instances
+    AWSSupersededEC2Instances:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeInstances"
+        - "ec2:DescribeTags"
+        - "sts:GetCallerIdentity"
+      action:
+        - "ec2:DescribeInstanceStatus"
+        - "ec2:ModifyInstanceAttribute"
+        - "ec2:StartInstances"
+        - "ec2:StopInstances"
+    ## AWS Tag Cardinality Report
+    AWSTagCardinalityReport:
+      read:
+        - "tag:GetResources"
+        - "ec2:DescribeRegions"
+        - "organizations:ListAccounts"
+        - "organizations:ListTagsForResource"
+      action: []
+    ## AWS Unencrypted EBS Volumes
+    AWSUnencryptedEBSVolumes:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeVolumes"
+      action: []
+    ## AWS Unencrypted RDS Instances
+    AWSUnencryptedRDSInstances:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "rds:DescribeDBInstances"
+        - "rds:ListTagsForResource"
+      action:
+        - "rds:DeleteDBInstance"
+    ## AWS Untagged Resources
+    AWSUntaggedResources:
       read:
         - "sts:GetCallerIdentity"
         - "ec2:DescribeRegions"
         - "tag:GetResources"
       action:
         - "tag:TagResources"
-    # End for each policy template
+        - "organizations:TagResource"
+    ## AWS Unused Application Load Balancers
+    AWSUnusedApplicationLoadBalancers:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "elasticloadbalancing:DescribeLoadBalancers"
+        - "elasticloadbalancing:DescribeListeners"
+        - "elasticloadbalancing:DescribeTags"
+        - "elasticloadbalancing:DescribeTargetGroups"
+        - "elasticloadbalancing:DescribeTargetHealth"
+      action:
+        - "elasticloadbalancing:DeleteLoadBalancer"
+    ## AWS Unused Classic Load Balancers
+    AWSUnusedClassicLoadBalancers:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "elasticloadbalancing:DescribeLoadBalancers"
+        - "elasticloadbalancing:DescribeInstanceHealth"
+        - "elasticloadbalancing:DescribeTags"
+      action:
+        - "elasticloadbalancing:DeleteLoadBalancer"
+    ## AWS Unused ECS Clusters
+    AWSUnusedECSClusters:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "ecs:ListClusters"
+        - "ecs:DescribeClusters"
+      action:
+        - "ecs:DeleteCluster"
+    ## AWS Unused IAM Credentials
+    AWSUnusedIAMCredentials:
+      read:
+        - "sts:GetCallerIdentity"
+        - "iam:GenerateCredentialReport"
+        - "iam:GetCredentialReport"
+      action: []
+    ## AWS Unused IP Addresses
+    AWSUnusedIPAddresses:
+      read:
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeAddresses"
+        - "sts:GetCallerIdentity"
+        - "cloudtrail:LookupEvents"
+      action:
+        - "ec2:ReleaseAddress"
+    ## AWS Unused Network Load Balancers
+    AWSUnusedNetworkLoadBalancers:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "elasticloadbalancing:DescribeLoadBalancers"
+        - "elasticloadbalancing:DescribeListeners"
+        - "elasticloadbalancing:DescribeTags"
+        - "elasticloadbalancing:DescribeTargetGroups"
+        - "elasticloadbalancing:DescribeTargetHealth"
+      action:
+        - "elasticloadbalancing:DeleteLoadBalancer"
+    ## AWS VPCs Without FlowLogs Enabled
+    AWSVPCsWithoutFlowLogsEnabled:
+      read:
+        - "sts:GetCallerIdentity"
+        - "ec2:DescribeRegions"
+        - "ec2:DescribeVpcs"
+        - "ec2:DescribeFlowLogs"
+      action: []
+    ## Common Bill Ingestion from AWS S3 Object Storage
+    CommonBillIngestionfromAWSS3ObjectStorage:
+      read:
+        - "s3:GetObject"
+      action: []
 
+    # End for each policy template
 
 Resources:
   # IAM Role Resource
@@ -575,54 +2552,1517 @@ Resources:
   # Begin IAM Permission Policy Resources
   # 1 or 2 Permission Policies per Policy Template (read and action)
   # Policy create/attachment is conditional based on parameter input for each policy
-  #### For each policy template append:
-  # iamPolicy<PolicyTemplateNameNoSpaces>Read:
-  #   Type: "AWS::IAM::Policy"
-  #   Condition: CreatePolicy<PolicyTemplateNameNoSpaces>Read
-  #   Properties:
-  #     PolicyName: !Join
-  #       - "_"
-  #       - - !Ref paramRoleName
-  #         - <PolicyTemplateNameNoSpaces>ReadPermissionPolicy
-  #     Roles:
-  #       - !Ref iamRole
-  #     PolicyDocument:
-  #       Version: 2012-10-17
-  #       Statement:
-  #         - Effect: Allow
-  #           Action: !FindInMap
-  #             - PermissionMap
-  #             - <PolicyTemplateNameNoSpaces>
-  #             - read
-  #           Resource: "*"
-  # iamPolicy<PolicyTemplateNameNoSpaces>Action:
-  #   Type: "AWS::IAM::Policy"
-  #   Condition: CreatePolicy<PolicyTemplateNameNoSpaces>Action
-  #   Properties:
-  #     PolicyName: !Join
-  #       - "_"
-  #       - - !Ref paramRoleName
-  #         - <PolicyTemplateNameNoSpaces>ActionPermissionPolicy
-  #     Roles:
-  #       - !Ref iamRole
-  #     PolicyDocument:
-  #       Version: 2012-10-17
-  #       Statement:
-  #         - Effect: Allow
-  #           Action: !FindInMap
-  #             - PermissionMap
-  #             - <PolicyTemplateNameNoSpaces>
-  #             - action
-  #           Resource: "*"
-  ## AWS Unused Volumes Permission Policies
-  iamPolicyAWSUnusedVolumesRead:
+  ## All AWS Policy Templates
+  iamPolicyAllAWSPolicyTemplatesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAllAWSPolicyTemplatesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AllAWSPolicyTemplatesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AllAWSPolicyTemplates
+              - read
+            Resource: "*"
+  iamPolicyAllAWSPolicyTemplatesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAllAWSPolicyTemplatesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AllAWSPolicyTemplatesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AllAWSPolicyTemplates
+              - action
+            Resource: "*"
+  ## AWS Account Credentials
+  iamPolicyAWSAccountCredentialsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSAccountCredentialsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSAccountCredentialsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSAccountCredentials
+              - read
+            Resource: "*"
+  ## AWS Accounts Missing Service Control Policies
+  iamPolicyAWSAccountsMissingServiceControlPoliciesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSAccountsMissingServiceControlPoliciesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSAccountsMissingServiceControlPoliciesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSAccountsMissingServiceControlPolicies
+              - read
+            Resource: "*"
+  ## AWS Burstable EC2 Instances
+  iamPolicyAWSBurstableEC2InstancesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSBurstableEC2InstancesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSBurstableEC2InstancesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSBurstableEC2Instances
+              - read
+            Resource: "*"
+  iamPolicyAWSBurstableEC2InstancesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSBurstableEC2InstancesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSBurstableEC2InstancesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSBurstableEC2Instances
+              - action
+            Resource: "*"
+  ## AWS CloudTrail Not Enabled In All Regions
+  iamPolicyAWSCloudTrailNotEnabledInAllRegionsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCloudTrailNotEnabledInAllRegionsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCloudTrailNotEnabledInAllRegionsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCloudTrailNotEnabledInAllRegions
+              - read
+            Resource: "*"
+  ## AWS CloudTrail S3 Buckets Without Access Logging
+  iamPolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCloudTrailS3BucketsWithoutAccessLoggingReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCloudTrailS3BucketsWithoutAccessLogging
+              - read
+            Resource: "*"
+  ## AWS CloudTrails Not Integrated With CloudWatch
+  iamPolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCloudTrailsNotIntegratedWithCloudWatchReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCloudTrailsNotIntegratedWithCloudWatch
+              - read
+            Resource: "*"
+  ## AWS CloudTrails With Read Logging Enabled
+  iamPolicyAWSCloudTrailsWithReadLoggingEnabledRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCloudTrailsWithReadLoggingEnabledRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCloudTrailsWithReadLoggingEnabledReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCloudTrailsWithReadLoggingEnabled
+              - read
+            Resource: "*"
+  iamPolicyAWSCloudTrailsWithReadLoggingEnabledAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCloudTrailsWithReadLoggingEnabledAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCloudTrailsWithReadLoggingEnabledActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCloudTrailsWithReadLoggingEnabled
+              - action
+            Resource: "*"
+  ## AWS CloudTrails Without Encrypted Logs
+  iamPolicyAWSCloudTrailsWithoutEncryptedLogsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCloudTrailsWithoutEncryptedLogsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCloudTrailsWithoutEncryptedLogsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCloudTrailsWithoutEncryptedLogs
+              - read
+            Resource: "*"
+  ## AWS CloudTrails Without Log File Validation Enabled
+  iamPolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCloudTrailsWithoutLogFileValidationEnabledReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCloudTrailsWithoutLogFileValidationEnabled
+              - read
+            Resource: "*"
+  ## AWS CloudTrails Without Object-level Events Logging Enabled
+  iamPolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled
+              - read
+            Resource: "*"
+  ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled
+  iamPolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSCustomerManagedKeysCMKsWithoutRotationEnabledReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSCustomerManagedKeysCMKsWithoutRotationEnabled
+              - read
+            Resource: "*"
+  ## AWS Disallowed Regions
+  iamPolicyAWSDisallowedRegionsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSDisallowedRegionsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSDisallowedRegionsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSDisallowedRegions
+              - read
+            Resource: "*"
+  iamPolicyAWSDisallowedRegionsAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSDisallowedRegionsAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSDisallowedRegionsActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSDisallowedRegions
+              - action
+            Resource: "*"
+  ## AWS EC2 Compute Optimizer Recommendations
+  iamPolicyAWSEC2ComputeOptimizerRecommendationsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSEC2ComputeOptimizerRecommendationsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSEC2ComputeOptimizerRecommendationsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSEC2ComputeOptimizerRecommendations
+              - read
+            Resource: "*"
+  iamPolicyAWSEC2ComputeOptimizerRecommendationsAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSEC2ComputeOptimizerRecommendationsAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSEC2ComputeOptimizerRecommendationsActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSEC2ComputeOptimizerRecommendations
+              - action
+            Resource: "*"
+  ## AWS EC2 Instances Time Stopped Report
+  iamPolicyAWSEC2InstancesTimeStoppedReportRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSEC2InstancesTimeStoppedReportRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSEC2InstancesTimeStoppedReportReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSEC2InstancesTimeStoppedReport
+              - read
+            Resource: "*"
+  iamPolicyAWSEC2InstancesTimeStoppedReportAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSEC2InstancesTimeStoppedReportAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSEC2InstancesTimeStoppedReportActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSEC2InstancesTimeStoppedReport
+              - action
+            Resource: "*"
+  ## AWS EC2 Instances not running FlexNet Inventory Agent
+  iamPolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSEC2InstancesnotrunningFlexNetInventoryAgentReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSEC2InstancesnotrunningFlexNetInventoryAgent
+              - read
+            Resource: "*"
+  ## AWS EKS Clusters Without Spot Instances
+  iamPolicyAWSEKSClustersWithoutSpotInstancesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSEKSClustersWithoutSpotInstancesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSEKSClustersWithoutSpotInstancesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSEKSClustersWithoutSpotInstances
+              - read
+            Resource: "*"
+  ## AWS Elastic Load Balancers With Unencrypted Listeners
+  iamPolicyAWSElasticLoadBalancersWithUnencryptedListenersRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSElasticLoadBalancersWithUnencryptedListenersRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSElasticLoadBalancersWithUnencryptedListenersReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSElasticLoadBalancersWithUnencryptedListeners
+              - read
+            Resource: "*"
+  ## AWS Expiring Savings Plans
+  iamPolicyAWSExpiringSavingsPlansRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSExpiringSavingsPlansRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSExpiringSavingsPlansReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSExpiringSavingsPlans
+              - read
+            Resource: "*"
+  ## AWS IAM Account Missing Support Role
+  iamPolicyAWSIAMAccountMissingSupportRoleRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMAccountMissingSupportRoleRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMAccountMissingSupportRoleReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMAccountMissingSupportRole
+              - read
+            Resource: "*"
+  ## AWS IAM Attached Admin Policies
+  iamPolicyAWSIAMAttachedAdminPoliciesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMAttachedAdminPoliciesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMAttachedAdminPoliciesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMAttachedAdminPolicies
+              - read
+            Resource: "*"
+  ## AWS IAM Expired SSL/TLS Certificates
+  iamPolicyAWSIAMExpiredSSLTLSCertificatesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMExpiredSSLTLSCertificatesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMExpiredSSLTLSCertificatesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMExpiredSSLTLSCertificates
+              - read
+            Resource: "*"
+  ## AWS IAM Insufficient Required Password Length
+  iamPolicyAWSIAMInsufficientRequiredPasswordLengthRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMInsufficientRequiredPasswordLengthRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMInsufficientRequiredPasswordLengthReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMInsufficientRequiredPasswordLength
+              - read
+            Resource: "*"
+  ## AWS IAM Password Policy Not Restricting Password Reuse
+  iamPolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMPasswordPolicyNotRestrictingPasswordReuseReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMPasswordPolicyNotRestrictingPasswordReuse
+              - read
+            Resource: "*"
+  ## AWS IAM Role Audit
+  iamPolicyAWSIAMRoleAuditRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMRoleAuditRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMRoleAuditReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMRoleAudit
+              - read
+            Resource: "*"
+  ## AWS IAM Root Account Access Keys
+  iamPolicyAWSIAMRootAccountAccessKeysRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMRootAccountAccessKeysRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMRootAccountAccessKeysReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMRootAccountAccessKeys
+              - read
+            Resource: "*"
+  ## AWS IAM Root User Account Without Hardware MFA
+  iamPolicyAWSIAMRootUserAccountWithoutHardwareMFARead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMRootUserAccountWithoutHardwareMFARead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMRootUserAccountWithoutHardwareMFAReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMRootUserAccountWithoutHardwareMFA
+              - read
+            Resource: "*"
+  ## AWS IAM Root User Account Without MFA
+  iamPolicyAWSIAMRootUserAccountWithoutMFARead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMRootUserAccountWithoutMFARead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMRootUserAccountWithoutMFAReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMRootUserAccountWithoutMFA
+              - read
+            Resource: "*"
+  ## AWS IAM Root User Doing Everyday Tasks
+  iamPolicyAWSIAMRootUserDoingEverydayTasksRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMRootUserDoingEverydayTasksRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMRootUserDoingEverydayTasksReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMRootUserDoingEverydayTasks
+              - read
+            Resource: "*"
+  ## AWS IAM User Accounts Without MFA
+  iamPolicyAWSIAMUserAccountsWithoutMFARead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMUserAccountsWithoutMFARead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMUserAccountsWithoutMFAReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMUserAccountsWithoutMFA
+              - read
+            Resource: "*"
+  ## AWS IAM Users With Directly-Attached Policies
+  iamPolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMUsersWithDirectlyAttachedPoliciesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMUsersWithDirectlyAttachedPolicies
+              - read
+            Resource: "*"
+  ## AWS IAM Users With Multiple Active Access Keys
+  iamPolicyAWSIAMUsersWithMultipleActiveAccessKeysRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMUsersWithMultipleActiveAccessKeysRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMUsersWithMultipleActiveAccessKeysReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMUsersWithMultipleActiveAccessKeys
+              - read
+            Resource: "*"
+  ## AWS IAM Users With Old Access Keys
+  iamPolicyAWSIAMUsersWithOldAccessKeysRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIAMUsersWithOldAccessKeysRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIAMUsersWithOldAccessKeysReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIAMUsersWithOldAccessKeys
+              - read
+            Resource: "*"
+  ## AWS Idle NAT Gateways
+  iamPolicyAWSIdleNATGatewaysRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIdleNATGatewaysRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIdleNATGatewaysReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIdleNATGateways
+              - read
+            Resource: "*"
+  iamPolicyAWSIdleNATGatewaysAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSIdleNATGatewaysAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSIdleNATGatewaysActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSIdleNATGateways
+              - action
+            Resource: "*"
+  ## AWS Internet-Accessible Elastic Load Balancers
+  iamPolicyAWSInternetAccessibleElasticLoadBalancersRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSInternetAccessibleElasticLoadBalancersRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSInternetAccessibleElasticLoadBalancersReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSInternetAccessibleElasticLoadBalancers
+              - read
+            Resource: "*"
+  iamPolicyAWSInternetAccessibleElasticLoadBalancersAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSInternetAccessibleElasticLoadBalancersAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSInternetAccessibleElasticLoadBalancersActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSInternetAccessibleElasticLoadBalancers
+              - action
+            Resource: "*"
+  ## AWS Lambda Functions With High Error Rate
+  iamPolicyAWSLambdaFunctionsWithHighErrorRateRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSLambdaFunctionsWithHighErrorRateRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSLambdaFunctionsWithHighErrorRateReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSLambdaFunctionsWithHighErrorRate
+              - read
+            Resource: "*"
+  ## AWS Lambda Functions Without Provisioned Concurrency
+  iamPolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSLambdaFunctionsWithoutProvisionedConcurrencyReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSLambdaFunctionsWithoutProvisionedConcurrency
+              - read
+            Resource: "*"
+  ## AWS Long Running Instances
+  iamPolicyAWSLongRunningInstancesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSLongRunningInstancesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSLongRunningInstancesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSLongRunningInstances
+              - read
+            Resource: "*"
+  iamPolicyAWSLongRunningInstancesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSLongRunningInstancesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSLongRunningInstancesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSLongRunningInstances
+              - action
+            Resource: "*"
+  ## AWS Long Stopped EC2 Instances
+  iamPolicyAWSLongStoppedEC2InstancesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSLongStoppedEC2InstancesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSLongStoppedEC2InstancesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSLongStoppedEC2Instances
+              - read
+            Resource: "*"
+  iamPolicyAWSLongStoppedEC2InstancesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSLongStoppedEC2InstancesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSLongStoppedEC2InstancesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSLongStoppedEC2Instances
+              - action
+            Resource: "*"
+  ## AWS Missing Regions
+  iamPolicyAWSMissingRegionsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSMissingRegionsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSMissingRegionsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSMissingRegions
+              - read
+            Resource: "*"
+  ## AWS Old Snapshots
+  iamPolicyAWSOldSnapshotsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSOldSnapshotsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSOldSnapshotsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSOldSnapshots
+              - read
+            Resource: "*"
+  iamPolicyAWSOldSnapshotsAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSOldSnapshotsAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSOldSnapshotsActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSOldSnapshots
+              - action
+            Resource: "*"
+  ## AWS Open S3 Buckets
+  iamPolicyAWSOpenS3BucketsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSOpenS3BucketsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSOpenS3BucketsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSOpenS3Buckets
+              - read
+            Resource: "*"
+  ## AWS Oversized S3 Buckets
+  iamPolicyAWSOversizedS3BucketsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSOversizedS3BucketsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSOversizedS3BucketsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSOversizedS3Buckets
+              - read
+            Resource: "*"
+  ## AWS Publicly Accessible CloudTrail S3 Buckets
+  iamPolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSPubliclyAccessibleCloudTrailS3BucketsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSPubliclyAccessibleCloudTrailS3Buckets
+              - read
+            Resource: "*"
+  ## AWS Publicly Accessible RDS Instances
+  iamPolicyAWSPubliclyAccessibleRDSInstancesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSPubliclyAccessibleRDSInstancesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSPubliclyAccessibleRDSInstancesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSPubliclyAccessibleRDSInstances
+              - read
+            Resource: "*"
+  iamPolicyAWSPubliclyAccessibleRDSInstancesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSPubliclyAccessibleRDSInstancesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSPubliclyAccessibleRDSInstancesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSPubliclyAccessibleRDSInstances
+              - action
+            Resource: "*"
+  ## AWS RDS Instances With Unapproved Backup Settings
+  iamPolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRDSInstancesWithUnapprovedBackupSettingsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRDSInstancesWithUnapprovedBackupSettings
+              - read
+            Resource: "*"
+  ## AWS Regions Without Access Analyzer Enabled
+  iamPolicyAWSRegionsWithoutAccessAnalyzerEnabledRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRegionsWithoutAccessAnalyzerEnabledRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRegionsWithoutAccessAnalyzerEnabledReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRegionsWithoutAccessAnalyzerEnabled
+              - read
+            Resource: "*"
+  ## AWS Regions Without Config Fully Enabled
+  iamPolicyAWSRegionsWithoutConfigFullyEnabledRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRegionsWithoutConfigFullyEnabledRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRegionsWithoutConfigFullyEnabledReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRegionsWithoutConfigFullyEnabled
+              - read
+            Resource: "*"
+  ## AWS Regions Without Default EBS Encryption
+  iamPolicyAWSRegionsWithoutDefaultEBSEncryptionRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRegionsWithoutDefaultEBSEncryptionRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRegionsWithoutDefaultEBSEncryptionReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRegionsWithoutDefaultEBSEncryption
+              - read
+            Resource: "*"
+  ## AWS Reserved Instances Coverage
+  iamPolicyAWSReservedInstancesCoverageRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSReservedInstancesCoverageRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSReservedInstancesCoverageReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSReservedInstancesCoverage
+              - read
+            Resource: "*"
+  ## AWS Reserved Instances Recommendations
+  iamPolicyAWSReservedInstancesRecommendationsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSReservedInstancesRecommendationsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSReservedInstancesRecommendationsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSReservedInstancesRecommendations
+              - read
+            Resource: "*"
+  ## AWS Rightsize EBS Volumes
+  iamPolicyAWSRightsizeEBSVolumesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeEBSVolumesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeEBSVolumesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeEBSVolumes
+              - read
+            Resource: "*"
+  iamPolicyAWSRightsizeEBSVolumesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeEBSVolumesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeEBSVolumesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeEBSVolumes
+              - action
+            Resource: "*"
+  ## AWS Rightsize EC2 Instances
+  iamPolicyAWSRightsizeEC2InstancesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeEC2InstancesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeEC2InstancesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeEC2Instances
+              - read
+            Resource: "*"
+  iamPolicyAWSRightsizeEC2InstancesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeEC2InstancesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeEC2InstancesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeEC2Instances
+              - action
+            Resource: "*"
+  ## AWS Rightsize ElastiCache
+  iamPolicyAWSRightsizeElastiCacheRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeElastiCacheRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeElastiCacheReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeElastiCache
+              - read
+            Resource: "*"
+  iamPolicyAWSRightsizeElastiCacheAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeElastiCacheAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeElastiCacheActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeElastiCache
+              - action
+            Resource: "*"
+  ## AWS Rightsize RDS Instances
+  iamPolicyAWSRightsizeRDSInstancesRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeRDSInstancesRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeRDSInstancesReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeRDSInstances
+              - read
+            Resource: "*"
+  iamPolicyAWSRightsizeRDSInstancesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeRDSInstancesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeRDSInstancesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeRDSInstances
+              - action
+            Resource: "*"
+  ## AWS Rightsize Redshift
+  iamPolicyAWSRightsizeRedshiftRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeRedshiftRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeRedshiftReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeRedshift
+              - read
+            Resource: "*"
+  iamPolicyAWSRightsizeRedshiftAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSRightsizeRedshiftAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSRightsizeRedshiftActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSRightsizeRedshift
+              - action
+            Resource: "*"
+  ## AWS S3 Buckets Accepting HTTP Requests
+  iamPolicyAWSS3BucketsAcceptingHTTPRequestsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSS3BucketsAcceptingHTTPRequestsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSS3BucketsAcceptingHTTPRequestsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSS3BucketsAcceptingHTTPRequests
+              - read
+            Resource: "*"
+  ## AWS S3 Buckets Without Default Encryption Configuration
+  iamPolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSS3BucketsWithoutDefaultEncryptionConfigurationReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSS3BucketsWithoutDefaultEncryptionConfiguration
+              - read
+            Resource: "*"
+  iamPolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSS3BucketsWithoutDefaultEncryptionConfigurationActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSS3BucketsWithoutDefaultEncryptionConfiguration
+              - action
+            Resource: "*"
+  ## AWS S3 Buckets Without Intelligent Tiering
+  iamPolicyAWSS3BucketsWithoutIntelligentTieringRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSUnusedVolumesRead
+    Condition: CreatePolicyAWSS3BucketsWithoutIntelligentTieringRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSUnusedVolumesReadPermissionPolicy
+          - AWSS3BucketsWithoutIntelligentTieringReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -631,17 +4071,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSUnusedVolumes
+              - AWSS3BucketsWithoutIntelligentTiering
               - read
             Resource: "*"
-  iamPolicyAWSUnusedVolumesAction:
+  ## AWS S3 Buckets Without Lifecycle Configuration
+  iamPolicyAWSS3BucketsWithoutLifecycleConfigurationRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSUnusedVolumesAction
+    Condition: CreatePolicyAWSS3BucketsWithoutLifecycleConfigurationRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSUnusedVolumesActionPermissionPolicy
+          - AWSS3BucketsWithoutLifecycleConfigurationReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -650,18 +4091,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSUnusedVolumes
-              - action
+              - AWSS3BucketsWithoutLifecycleConfiguration
+              - read
             Resource: "*"
-  ## AWS Rightsize EBS Volumes Permission Policies
-  iamPolicyAWSRightsizeEBSVolumesRead:
+  ## AWS S3 Buckets Without MFA Delete Enabled
+  iamPolicyAWSS3BucketsWithoutMFADeleteEnabledRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSRightsizeEBSVolumesRead
+    Condition: CreatePolicyAWSS3BucketsWithoutMFADeleteEnabledRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSRightsizeEBSVolumesReadPermissionPolicy
+          - AWSS3BucketsWithoutMFADeleteEnabledReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -670,17 +4111,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSRightsizeEBSVolumes
+              - AWSS3BucketsWithoutMFADeleteEnabled
               - read
             Resource: "*"
-  iamPolicyAWSRightsizeEBSVolumesAction:
+  ## AWS S3 Buckets Without Public Access Blocked
+  iamPolicyAWSS3BucketsWithoutPublicAccessBlockedRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSRightsizeEBSVolumesAction
+    Condition: CreatePolicyAWSS3BucketsWithoutPublicAccessBlockedRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSRightsizeEBSVolumesActionPermissionPolicy
+          - AWSS3BucketsWithoutPublicAccessBlockedReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -689,18 +4131,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSRightsizeEBSVolumes
-              - action
+              - AWSS3BucketsWithoutPublicAccessBlocked
+              - read
             Resource: "*"
-  ## AWS Rightsize RDS Instances Permission Policies
-  iamPolicyAWSRightsizeRDSInstancesRead:
+  ## AWS S3 Buckets Without Server Access Logging
+  iamPolicyAWSS3BucketsWithoutServerAccessLoggingRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSRightsizeRDSInstancesRead
+    Condition: CreatePolicyAWSS3BucketsWithoutServerAccessLoggingRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSRightsizeRDSInstancesReadPermissionPolicy
+          - AWSS3BucketsWithoutServerAccessLoggingReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -709,17 +4151,17 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSRightsizeRDSInstances
+              - AWSS3BucketsWithoutServerAccessLogging
               - read
             Resource: "*"
-  iamPolicyAWSRightsizeRDSInstancesAction:
+  iamPolicyAWSS3BucketsWithoutServerAccessLoggingAction:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSRightsizeRDSInstancesAction
+    Condition: CreatePolicyAWSS3BucketsWithoutServerAccessLoggingAction
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSRightsizeRDSInstancesActionPermissionPolicy
+          - AWSS3BucketsWithoutServerAccessLoggingActionPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -728,18 +4170,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSRightsizeRDSInstances
+              - AWSS3BucketsWithoutServerAccessLogging
               - action
             Resource: "*"
-  ## AWS Unused IP Addresses Permission Policies
-  iamPolicyAWSUnusedIPAddressesRead:
+  ## AWS S3 Incomplete Multi-Part Uploads
+  iamPolicyAWSS3IncompleteMultiPartUploadsRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSUnusedIPAddressesRead
+    Condition: CreatePolicyAWSS3IncompleteMultiPartUploadsRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSUnusedIPAddressesReadPermissionPolicy
+          - AWSS3IncompleteMultiPartUploadsReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -748,17 +4190,17 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSUnusedIPAddresses
+              - AWSS3IncompleteMultiPartUploads
               - read
             Resource: "*"
-  iamPolicyAWSUnusedIPAddressesAction:
+  iamPolicyAWSS3IncompleteMultiPartUploadsAction:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSUnusedIPAddressesAction
+    Condition: CreatePolicyAWSS3IncompleteMultiPartUploadsAction
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSUnusedIPAddressesActionPermissionPolicy
+          - AWSS3IncompleteMultiPartUploadsActionPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -767,18 +4209,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSUnusedIPAddresses
+              - AWSS3IncompleteMultiPartUploads
               - action
             Resource: "*"
-  ## AWS Unused Classic Load Balancers Policies
-  iamPolicyAWSUnusedCLBsRead:
+  ## AWS Savings Plan Recommendations
+  iamPolicyAWSSavingsPlanRecommendationsRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSUnusedCLBsRead
+    Condition: CreatePolicyAWSSavingsPlanRecommendationsRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSUnusedCLBsReadPermissionPolicy
+          - AWSSavingsPlanRecommendationsReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -787,17 +4229,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSUnusedCLBs
+              - AWSSavingsPlanRecommendations
               - read
             Resource: "*"
-  iamPolicyAWSUnusedCLBsAction:
+  ## AWS Savings Plan Utilization
+  iamPolicyAWSSavingsPlanUtilizationRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSUnusedCLBsAction
+    Condition: CreatePolicyAWSSavingsPlanUtilizationRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSUnusedCLBsActionPermissionPolicy
+          - AWSSavingsPlanUtilizationReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -806,18 +4249,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSUnusedCLBs
-              - action
+              - AWSSavingsPlanUtilization
+              - read
             Resource: "*"
-  ## AWS Old Snapshots Permission Policies
-  iamPolicyAWSOldSnapshots:
+  ## AWS Schedule Instance
+  iamPolicyAWSScheduleInstanceRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSOldSnapshotsRead
+    Condition: CreatePolicyAWSScheduleInstanceRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSOldSnapshotsReadPermissionPolicy
+          - AWSScheduleInstanceReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -826,17 +4269,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSOldSnapshots
+              - AWSScheduleInstance
               - read
             Resource: "*"
-  iamPolicyAWSOldSnapshotsAction:
+  ## AWS Scheduled EC2 Events
+  iamPolicyAWSScheduledEC2EventsRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSOldSnapshotsAction
+    Condition: CreatePolicyAWSScheduledEC2EventsRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSOldSnapshotsActionPermissionPolicy
+          - AWSScheduledEC2EventsReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -845,18 +4289,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSOldSnapshots
-              - action
+              - AWSScheduledEC2Events
+              - read
             Resource: "*"
-  ## AWS Rightsize EC2 Instances Permission Policies
-  iamPolicyAWSRightsizeEC2Instances:
+  ## AWS Superseded EBS Volumes
+  iamPolicyAWSSupersededEBSVolumesRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSRightsizeEC2InstancesRead
+    Condition: CreatePolicyAWSSupersededEBSVolumesRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSRightsizeEC2InstancesReadPermissionPolicy
+          - AWSSupersededEBSVolumesReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -865,17 +4309,17 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSRightsizeEC2Instances
+              - AWSSupersededEBSVolumes
               - read
             Resource: "*"
-  iamPolicyAWSRightsizeEC2InstancesAction:
+  iamPolicyAWSSupersededEBSVolumesAction:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSRightsizeEC2InstancesAction
+    Condition: CreatePolicyAWSSupersededEBSVolumesAction
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSRightsizeEC2InstancesActionPermissionPolicy
+          - AWSSupersededEBSVolumesActionPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -884,11 +4328,11 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSRightsizeEC2Instances
+              - AWSSupersededEBSVolumes
               - action
             Resource: "*"
-  ## AWS Superseded EC2 Instances Permission Policies
-  iamPolicyAWSSupersededEC2Instances:
+  ## AWS Superseded EC2 Instances
+  iamPolicyAWSSupersededEC2InstancesRead:
     Type: "AWS::IAM::Policy"
     Condition: CreatePolicyAWSSupersededEC2InstancesRead
     Properties:
@@ -926,15 +4370,35 @@ Resources:
               - AWSSupersededEC2Instances
               - action
             Resource: "*"
-  ## AWS Reserved Instances Recommendation
-  iamPolicyAWSReservedInstancesRecommendation:
+  ## AWS Tag Cardinality Report
+  iamPolicyAWSTagCardinalityReportRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSTagCardinalityReportRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSTagCardinalityReportReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSTagCardinalityReport
+              - read
+            Resource: "*"
+  ## AWS Unencrypted EBS Volumes
+  iamPolicyAWSUnencryptedEBSVolumesRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSReservedInstancesRecommendationRead
+    Condition: CreatePolicyAWSUnencryptedEBSVolumesRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSReservedInstancesRecommendationReadPermissionPolicy
+          - AWSUnencryptedEBSVolumesReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -943,17 +4407,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSReservedInstancesRecommendation
+              - AWSUnencryptedEBSVolumes
               - read
             Resource: "*"
-  iamPolicyAWSObjectStorageOptimizationRead:
+  ## AWS Unencrypted RDS Instances
+  iamPolicyAWSUnencryptedRDSInstancesRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSObjectStorageOptimizationRead
+    Condition: CreatePolicyAWSUnencryptedRDSInstancesRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSObjectStorageOptimizationReadPermissionPolicy
+          - AWSUnencryptedRDSInstancesReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -962,17 +4427,17 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSObjectStorageOptimization
+              - AWSUnencryptedRDSInstances
               - read
             Resource: "*"
-  iamPolicyAWSObjectStorageOptimizationAction:
+  iamPolicyAWSUnencryptedRDSInstancesAction:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSObjectStorageOptimizationAction
+    Condition: CreatePolicyAWSUnencryptedRDSInstancesAction
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSObjectStorageOptimizationActionPermissionPolicy
+          - AWSUnencryptedRDSInstancesActionPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -981,17 +4446,18 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSObjectStorageOptimization
+              - AWSUnencryptedRDSInstances
               - action
             Resource: "*"
-  iamPolicyAWSExpiringSavingsPlans:
+  ## AWS Untagged Resources
+  iamPolicyAWSUntaggedResourcesRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSExpiringSavingsPlansRead
+    Condition: CreatePolicyAWSUntaggedResourcesRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSExpiringSavingsPlansReadPermissionPolicy
+          - AWSUntaggedResourcesReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -1000,17 +4466,17 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSExpiringSavingsPlans
+              - AWSUntaggedResources
               - read
             Resource: "*"
-  iamPolicyAWSSavingsPlanRecommendations:
+  iamPolicyAWSUntaggedResourcesAction:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSSavingsPlanRecommendationsRead
+    Condition: CreatePolicyAWSUntaggedResourcesAction
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSSavingsPlanRecommendationsReadPermissionPolicy
+          - AWSUntaggedResourcesActionPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -1019,17 +4485,37 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSSavingsPlanRecommendations
+              - AWSUntaggedResources
+              - action
+            Resource: "*"
+  ## AWS Unused Application Load Balancers
+  iamPolicyAWSUnusedApplicationLoadBalancersRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSUnusedApplicationLoadBalancersRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSUnusedApplicationLoadBalancersReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSUnusedApplicationLoadBalancers
               - read
             Resource: "*"
-  iamPolicyAWSSavingsPlanUtilization:
+  iamPolicyAWSUnusedApplicationLoadBalancersAction:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSSavingsPlanUtilizationRead
+    Condition: CreatePolicyAWSUnusedApplicationLoadBalancersAction
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSSavingsPlanUtilizationReadPermissionPolicy
+          - AWSUnusedApplicationLoadBalancersActionPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -1038,17 +4524,37 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSSavingsPlanUtilization
+              - AWSUnusedApplicationLoadBalancers
+              - action
+            Resource: "*"
+  ## AWS Unused Classic Load Balancers
+  iamPolicyAWSUnusedClassicLoadBalancersRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSUnusedClassicLoadBalancersRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSUnusedClassicLoadBalancersReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSUnusedClassicLoadBalancers
               - read
             Resource: "*"
-  iamPolicyAWSTagCardinalityReport:
+  iamPolicyAWSUnusedClassicLoadBalancersAction:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSTagCardinalityReportRead
+    Condition: CreatePolicyAWSUnusedClassicLoadBalancersAction
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSTagCardinalityReportReadPermissionPolicy
+          - AWSUnusedClassicLoadBalancersActionPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -1057,17 +4563,37 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSTagCardinalityReport
+              - AWSUnusedClassicLoadBalancers
+              - action
+            Resource: "*"
+  ## AWS Unused ECS Clusters
+  iamPolicyAWSUnusedECSClustersRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSUnusedECSClustersRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSUnusedECSClustersReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSUnusedECSClusters
               - read
             Resource: "*"
-  iamPolicyAWSUntaggedResourcesRead:
+  iamPolicyAWSUnusedECSClustersAction:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSUntaggedResourcesRead
+    Condition: CreatePolicyAWSUnusedECSClustersAction
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSUntaggedResourcesReadPermissionPolicy
+          - AWSUnusedECSClustersActionPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -1076,17 +4602,38 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSUntaggedResources
+              - AWSUnusedECSClusters
+              - action
+            Resource: "*"
+  ## AWS Unused IAM Credentials
+  iamPolicyAWSUnusedIAMCredentialsRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSUnusedIAMCredentialsRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSUnusedIAMCredentialsReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSUnusedIAMCredentials
               - read
             Resource: "*"
-  iamPolicyAWSUntaggedResourcesAction:
+  ## AWS Unused IP Addresses
+  iamPolicyAWSUnusedIPAddressesRead:
     Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSUntaggedResourcesAction
+    Condition: CreatePolicyAWSUnusedIPAddressesRead
     Properties:
       PolicyName: !Join
         - "_"
         - - !Ref paramRoleName
-          - AWSUntaggedResourcesActionPermissionPolicy
+          - AWSUnusedIPAddressesReadPermissionPolicy
       Roles:
         - !Ref iamRole
       PolicyDocument:
@@ -1095,9 +4642,108 @@ Resources:
           - Effect: Allow
             Action: !FindInMap
               - PermissionMap
-              - AWSUntaggedResources
+              - AWSUnusedIPAddresses
+              - read
+            Resource: "*"
+  iamPolicyAWSUnusedIPAddressesAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSUnusedIPAddressesAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSUnusedIPAddressesActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSUnusedIPAddresses
+              - action
+            Resource: "*"
+  ## AWS Unused Network Load Balancers
+  iamPolicyAWSUnusedNetworkLoadBalancersRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSUnusedNetworkLoadBalancersRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSUnusedNetworkLoadBalancersReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSUnusedNetworkLoadBalancers
+              - read
+            Resource: "*"
+  iamPolicyAWSUnusedNetworkLoadBalancersAction:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSUnusedNetworkLoadBalancersAction
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSUnusedNetworkLoadBalancersActionPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSUnusedNetworkLoadBalancers
               - action
             Resource: "*"
+  ## AWS VPCs Without FlowLogs Enabled
+  iamPolicyAWSVPCsWithoutFlowLogsEnabledRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyAWSVPCsWithoutFlowLogsEnabledRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - AWSVPCsWithoutFlowLogsEnabledReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - AWSVPCsWithoutFlowLogsEnabled
+              - read
+            Resource: "*"
+  ## Common Bill Ingestion from AWS S3 Object Storage
+  iamPolicyCommonBillIngestionfromAWSS3ObjectStorageRead:
+    Type: "AWS::IAM::Policy"
+    Condition: CreatePolicyCommonBillIngestionfromAWSS3ObjectStorageRead
+    Properties:
+      PolicyName: !Join
+        - "_"
+        - - !Ref paramRoleName
+          - CommonBillIngestionfromAWSS3ObjectStorageReadPermissionPolicy
+      Roles:
+        - !Ref iamRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: !FindInMap
+              - PermissionMap
+              - CommonBillIngestionfromAWSS3ObjectStorage
+              - read
+            Resource: "*"
+
   # End for each policy template
 
   # End IAM Permission Policy Resources
diff --git a/tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template b/tools/cloudformation-template/FlexeraAutomationPoliciesReadOnly.template
similarity index 98%
rename from tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template
rename to tools/cloudformation-template/FlexeraAutomationPoliciesReadOnly.template
index 179ac78004..d26ddbea29 100644
--- a/tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template
+++ b/tools/cloudformation-template/FlexeraAutomationPoliciesReadOnly.template
@@ -1,6 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: "CloudFormation Stack with IAM Role and IAM Permission Policy used by Flexera Automation. Official Docs: https://docs.flexera.com/"
-# Generated by Flexera automation on 2024-12-13T15:57:13Z
 # For more details, see: https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/README.md
 
 Metadata:
@@ -164,8 +163,6 @@ Metadata:
           - paramPermsAWSSupersededEBSVolumes
           ## AWS Superseded EC2 Instances
           - paramPermsAWSSupersededEC2Instances
-          ## AWS Superseded EC2 Instances
-          - paramPermsAWSSupersededEC2Instances
           ## AWS Tag Cardinality Report
           - paramPermsAWSTagCardinalityReport
           ## AWS Unencrypted EBS Volumes
@@ -413,9 +410,6 @@ Metadata:
       paramPermsAWSSupersededEBSVolumes:
         default: "Permissions for Policy Template: AWS Superseded EBS Volumes"
       ## AWS Superseded EC2 Instances
-      paramPermsAWSSupersededEC2Instances:
-        default: "Permissions for Policy Template: AWS Superseded EC2 Instances"
-      ## AWS Superseded EC2 Instances
       paramPermsAWSSupersededEC2Instances:
         default: "Permissions for Policy Template: AWS Superseded EC2 Instances"
       ## AWS Tag Cardinality Report
@@ -1045,14 +1039,6 @@ Parameters:
       - None
       - Read Only
   ## AWS Superseded EC2 Instances
-  paramPermsAWSSupersededEC2Instances:
-    Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?'
-    Type: String
-    Default: None
-    AllowedValues:
-      - None
-      - Read Only
-  ## AWS Superseded EC2 Instances
   paramPermsAWSSupersededEC2Instances:
     Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
@@ -1513,11 +1499,6 @@ Conditions:
       - !Ref paramPermsAWSSupersededEBSVolumes
       - None
   ## AWS Superseded EC2 Instances
-  CreatePolicyAWSSupersededEC2InstancesRead: !Not
-    - !Equals
-      - !Ref paramPermsAWSSupersededEC2Instances
-      - None
-  ## AWS Superseded EC2 Instances
   CreatePolicyAWSSupersededEC2InstancesRead: !Not
     - !Equals
       - !Ref paramPermsAWSSupersededEC2Instances
@@ -1686,7 +1667,6 @@ Mappings:
         - "rds:ListTagsForResource"
         - "redshift:DescribeClusters"
         - "s3:GetBucketAcl"
-        - "s3:GetBucketLifecycleConfiguration"
         - "s3:GetBucketLocation"
         - "s3:GetBucketLogging"
         - "s3:GetBucketPolicy"
@@ -1695,6 +1675,7 @@ Mappings:
         - "s3:GetBucketVersioning"
         - "s3:GetEncryptionConfiguration"
         - "s3:GetIntelligentTieringConfiguration"
+        - "s3:GetLifecycleConfiguration"
         - "s3:GetObject"
         - "s3:ListAllMyBuckets"
         - "s3:ListBucketMultipartUploads"
@@ -2155,7 +2136,7 @@ Mappings:
         - "s3:ListAllMyBuckets"
         - "s3:GetBucketLocation"
         - "s3:GetBucketTagging"
-        - "s3:GetBucketLifecycleConfiguration"
+        - "s3:GetLifecycleConfiguration"
         - "sts:GetCallerIdentity"
       action: []
     ## AWS S3 Buckets Without MFA Delete Enabled
@@ -2236,14 +2217,6 @@ Mappings:
         - "pricing:GetProducts"
       action: []
     ## AWS Superseded EC2 Instances
-    AWSSupersededEC2Instances:
-      read:
-        - "ec2:DescribeRegions"
-        - "ec2:DescribeInstances"
-        - "ec2:DescribeTags"
-        - "sts:GetCallerIdentity"
-      action: []
-    ## AWS Superseded EC2 Instances
     AWSSupersededEC2Instances:
       read:
         - "ec2:DescribeRegions"
@@ -3766,26 +3739,6 @@ Resources:
               - read
             Resource: "*"
   ## AWS Superseded EC2 Instances
-  iamPolicyAWSSupersededEC2InstancesRead:
-    Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSSupersededEC2InstancesRead
-    Properties:
-      PolicyName: !Join
-        - "_"
-        - - !Ref paramRoleName
-          - AWSSupersededEC2InstancesReadPermissionPolicy
-      Roles:
-        - !Ref iamRole
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action: !FindInMap
-              - PermissionMap
-              - AWSSupersededEC2Instances
-              - read
-            Resource: "*"
-  ## AWS Superseded EC2 Instances
   iamPolicyAWSSupersededEC2InstancesRead:
     Type: "AWS::IAM::Policy"
     Condition: CreatePolicyAWSSupersededEC2InstancesRead
diff --git a/tools/cloudformation-template/README.md b/tools/cloudformation-template/README.md
index bea58e3f3a..0b7da290a0 100644
--- a/tools/cloudformation-template/README.md
+++ b/tools/cloudformation-template/README.md
@@ -4,16 +4,12 @@
 
 Template to create a CloudFormation Stack with IAM Role and Permission Policy resources required by [Flexera Automation](https://docs.flexera.com/flexera/EN/Automation/AutomationGS.htm).
 
-Two supported versions are provided as options:
+Three supported versions are provided as options:
 
-- [FlexeraAutomationPolicies.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPolicies.template): Current approved/stable version of the template. Recommended for most use cases.
+- [FlexeraAutomationPolicies.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPolicies.template): Current production version of the template. Recommended for most use cases.
+- [FlexeraAutomationPoliciesReadOnly.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template): Identical to the above but with only read-only permissions. Recommended when there are concerns over the template having options for more than just read-only access.
 - [FlexeraAutomationPoliciesSimple.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPoliciesSimple.template): Template that simply attaches the built-in `arn:aws:iam::aws:policy/ReadOnlyAccess` AWS policy by default with the option to add other policies by name manually via parameter. Recommended when custom inline policies are not desired. Note that this grants more access than simply applying [FlexeraAutomationPolicies.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPolicies.template) with the default options, since this provides read-only access to everything in the AWS account rather than just to the resources needed for Flexera automation.
 
-Additionally, two automatically generated rolling release versions are provided but are **not recommended** or supported for production use. These will be used as the basis for the stable releases above.
-
-- [rolling/FlexeraAutomationPolicies.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/rolling/FlexeraAutomationPolicies.template): Template to add either read or read/action permissions for either all Flexera automation templates or per-Flexera automation template.
-- [rolling/FlexeraAutomationPoliciesReadOnly.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template): Identical to the above but with only read-only permissions. Recommended when there are concerns over the template having options for more than just read-only access.
-
 ## Amazon S3 Template URL
 
 **`https://flexera-cloudformation-public.s3.us-east-2.amazonaws.com/FlexeraAutomationPolicies_latest.template`**
@@ -180,4 +176,6 @@ resource "aws_cloudformation_stack" "FlexeraAutomationAccessRole" {
 
 ## For Maintainers
 
-New rolling releases are created automatically by the `tools/cloudformation-template/aws_cft_generator.rb` script. This script runs automatically via GitHub Actions whenever a change is made to the master branch. This script uses the permissions file `data/policy_permissions_list/master_policy_permissions_list.json` to obtain the information needed to generate the CloudFormation Template. This file, in turn, is sourced through its own automation that scrapes policy template README files.
+New versions of `tools/cloudformation-template/FlexeraAutomationPolicies.template` and `tools/cloudformation-template/FlexeraAutomationPoliciesReadOnly.template` are created automatically by the `tools/cloudformation-template/aws_cft_generator.rb` script. This script runs automatically via GitHub Actions whenever a change is made to the master branch. This script uses the permissions file `data/policy_permissions_list/master_policy_permissions_list.json` to obtain the information needed to generate the CloudFormation Template. This file, in turn, is sourced through its [own automation](https://github.com/flexera-public/policy_templates/tree/master/tools/policy_master_permission_generation) that scrapes policy template README files.
+
+New releases are created automatically by the `tools/cloudformation-template/aws_cft_new_release.rb` script. This script runs daily and checks whether the most recent version of `tools/cloudformation-template/FlexeraAutomationPolicies.template` has any changes compared to the latest release. If changes are present, a new minor version is created and stored in the `tools/cloudformation-template/releases` directory.
diff --git a/tools/cloudformation-template/aws_cft_generator.rb b/tools/cloudformation-template/aws_cft_generator.rb
index 5a477b893b..8db4631b33 100644
--- a/tools/cloudformation-template/aws_cft_generator.rb
+++ b/tools/cloudformation-template/aws_cft_generator.rb
@@ -1,5 +1,8 @@
 require "json"
 require "time"
+require "pathname"
+require "digest"
+require "fileutils"
 
 # Method for generating permission list
 def create_permissions(perm_json, deprecated, perm_type = "action")
@@ -197,8 +200,7 @@ def create_template(perm_list, template_path)
   # Generate new CloudFormation Template
   empty_template = File.read(template_path)
 
-  final_template = empty_template.gsub("__PLACEHOLDER_FOR_GENERATION_DATETIME__", Time.now.utc.iso8601)
-  final_template = final_template.gsub("__PLACEHOLDER_FOR_PARAMETER_GROUPS__", parameter_groups)
+  final_template = empty_template.gsub("__PLACEHOLDER_FOR_PARAMETER_GROUPS__", parameter_groups)
   final_template = final_template.gsub("__PLACEHOLDER_FOR_PARAMETER_LABELS__", parameter_labels)
   final_template = final_template.gsub("__PLACEHOLDER_FOR_PARAMETER_GROUP_DEFINITIONS__", parameter_group_definitions)
   final_template = final_template.gsub("__PLACEHOLDER_FOR_CONDITIONS__", conditions)
@@ -212,8 +214,8 @@ def create_template(perm_list, template_path)
 activepolicy_json_filepath = "../../data/active_policy_list/active_policy_list.json"
 permission_json_filepath = "../../data/policy_permissions_list/master_policy_permissions_list.json"
 template_filepath = "./aws_cft_generator.template.txt"
-output_filepath = "./rolling/FlexeraAutomationPolicies.template"
-output_readonly_filepath = "./rolling/FlexeraAutomationPoliciesReadOnly.template"
+output_filepath = "./FlexeraAutomationPolicies.template"
+output_readonly_filepath = "./FlexeraAutomationPoliciesReadOnly.template"
 
 # Get list of deprecated policies
 activepolicy_json = JSON.parse(File.read(activepolicy_json_filepath))
diff --git a/tools/cloudformation-template/aws_cft_generator.template.txt b/tools/cloudformation-template/aws_cft_generator.template.txt
index 4fd2c4dd67..0f630ce090 100644
--- a/tools/cloudformation-template/aws_cft_generator.template.txt
+++ b/tools/cloudformation-template/aws_cft_generator.template.txt
@@ -1,6 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: "CloudFormation Stack with IAM Role and IAM Permission Policy used by Flexera Automation. Official Docs: https://docs.flexera.com/"
-# Generated by Flexera automation on __PLACEHOLDER_FOR_GENERATION_DATETIME__
 # For more details, see: https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/README.md
 
 Metadata:
diff --git a/tools/cloudformation-template/aws_cft_new_release.rb b/tools/cloudformation-template/aws_cft_new_release.rb
new file mode 100644
index 0000000000..a4ccba0cce
--- /dev/null
+++ b/tools/cloudformation-template/aws_cft_new_release.rb
@@ -0,0 +1,37 @@
+require "json"
+require "time"
+require "pathname"
+require "digest"
+require "fileutils"
+
+# Method to test if two files are identical
+def files_match?(file1, file2)
+  Digest::SHA256.file(file1).hexdigest == Digest::SHA256.file(file2).hexdigest
+end
+
+# Define the directory containing the files
+release_dir = "./releases"
+local_file_path = "./FlexeraAutomationPolicies.template"
+
+# Get a list of all template files in the directory
+files = Dir.entries(release_dir).select { |file| file =~ /FlexeraAutomationPolicies_v(\d+\.\d+\.\d+)\.template$/ }
+
+# Extract version numbers and map them to their corresponding files
+file_versions = files.map do |file|
+  match = file.match(/v(\d+\.\d+\.\d+)/)
+  [file, match[1]] if match
+end.compact
+
+# Find the most recent version
+most_recent = file_versions.max_by { |_, version| Gem::Version.new(version) }
+most_recent_file, most_recent_version = most_recent
+most_recent_path = File.join(release_dir, most_recent_file)
+
+# Unless the files are identical, create a new version.
+unless files_match?(local_file_path, most_recent_path)
+  new_minor_version = (Integer(most_recent_version.split(".")[1]) + 1).to_s
+  new_version = most_recent_version.split(".")[0] + "." + new_minor_version + ".0"
+  new_file_path = release_dir + "/FlexeraAutomationPolicies_v" + new_version + ".template"
+
+  FileUtils.cp(local_file_path, new_file_path, verbose: true)
+end
diff --git a/tools/cloudformation-template/rolling/FlexeraAutomationPolicies.template b/tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.9.0.template
similarity index 98%
rename from tools/cloudformation-template/rolling/FlexeraAutomationPolicies.template
rename to tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.9.0.template
index 84b17b5e15..c0a7adb02e 100644
--- a/tools/cloudformation-template/rolling/FlexeraAutomationPolicies.template
+++ b/tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.9.0.template
@@ -1,6 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: "CloudFormation Stack with IAM Role and IAM Permission Policy used by Flexera Automation. Official Docs: https://docs.flexera.com/"
-# Generated by Flexera automation on 2024-12-13T15:57:13Z
 # For more details, see: https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/README.md
 
 Metadata:
@@ -164,8 +163,6 @@ Metadata:
           - paramPermsAWSSupersededEBSVolumes
           ## AWS Superseded EC2 Instances
           - paramPermsAWSSupersededEC2Instances
-          ## AWS Superseded EC2 Instances
-          - paramPermsAWSSupersededEC2Instances
           ## AWS Tag Cardinality Report
           - paramPermsAWSTagCardinalityReport
           ## AWS Unencrypted EBS Volumes
@@ -413,9 +410,6 @@ Metadata:
       paramPermsAWSSupersededEBSVolumes:
         default: "Permissions for Policy Template: AWS Superseded EBS Volumes"
       ## AWS Superseded EC2 Instances
-      paramPermsAWSSupersededEC2Instances:
-        default: "Permissions for Policy Template: AWS Superseded EC2 Instances"
-      ## AWS Superseded EC2 Instances
       paramPermsAWSSupersededEC2Instances:
         default: "Permissions for Policy Template: AWS Superseded EC2 Instances"
       ## AWS Tag Cardinality Report
@@ -1066,15 +1060,6 @@ Parameters:
       - Read Only
       - Read and Take Action
   ## AWS Superseded EC2 Instances
-  paramPermsAWSSupersededEC2Instances:
-    Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?'
-    Type: String
-    Default: None
-    AllowedValues:
-      - None
-      - Read Only
-      - Read and Take Action
-  ## AWS Superseded EC2 Instances
   paramPermsAWSSupersededEC2Instances:
     Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?'
     Type: String
@@ -1606,14 +1591,6 @@ Conditions:
     - !Ref paramPermsAWSSupersededEBSVolumes
     - Read and Take Action
   ## AWS Superseded EC2 Instances
-  CreatePolicyAWSSupersededEC2InstancesRead: !Not
-    - !Equals
-      - !Ref paramPermsAWSSupersededEC2Instances
-      - None
-  CreatePolicyAWSSupersededEC2InstancesAction: !Equals
-    - !Ref paramPermsAWSSupersededEC2Instances
-    - Read and Take Action
-  ## AWS Superseded EC2 Instances
   CreatePolicyAWSSupersededEC2InstancesRead: !Not
     - !Equals
       - !Ref paramPermsAWSSupersededEC2Instances
@@ -1806,7 +1783,6 @@ Mappings:
         - "rds:ListTagsForResource"
         - "redshift:DescribeClusters"
         - "s3:GetBucketAcl"
-        - "s3:GetBucketLifecycleConfiguration"
         - "s3:GetBucketLocation"
         - "s3:GetBucketLogging"
         - "s3:GetBucketPolicy"
@@ -1815,6 +1791,7 @@ Mappings:
         - "s3:GetBucketVersioning"
         - "s3:GetEncryptionConfiguration"
         - "s3:GetIntelligentTieringConfiguration"
+        - "s3:GetLifecycleConfiguration"
         - "s3:GetObject"
         - "s3:ListAllMyBuckets"
         - "s3:ListBucketMultipartUploads"
@@ -2338,7 +2315,7 @@ Mappings:
         - "s3:ListAllMyBuckets"
         - "s3:GetBucketLocation"
         - "s3:GetBucketTagging"
-        - "s3:GetBucketLifecycleConfiguration"
+        - "s3:GetLifecycleConfiguration"
         - "sts:GetCallerIdentity"
       action: []
     ## AWS S3 Buckets Without MFA Delete Enabled
@@ -2422,18 +2399,6 @@ Mappings:
       action:
         - "ec2:ModifyVolume"
     ## AWS Superseded EC2 Instances
-    AWSSupersededEC2Instances:
-      read:
-        - "ec2:DescribeRegions"
-        - "ec2:DescribeInstances"
-        - "ec2:DescribeTags"
-        - "sts:GetCallerIdentity"
-      action:
-        - "ec2:DescribeInstanceStatus"
-        - "ec2:ModifyInstanceAttribute"
-        - "ec2:StartInstances"
-        - "ec2:StopInstances"
-    ## AWS Superseded EC2 Instances
     AWSSupersededEC2Instances:
       read:
         - "ec2:DescribeRegions"
@@ -4367,45 +4332,6 @@ Resources:
               - action
             Resource: "*"
   ## AWS Superseded EC2 Instances
-  iamPolicyAWSSupersededEC2InstancesRead:
-    Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSSupersededEC2InstancesRead
-    Properties:
-      PolicyName: !Join
-        - "_"
-        - - !Ref paramRoleName
-          - AWSSupersededEC2InstancesReadPermissionPolicy
-      Roles:
-        - !Ref iamRole
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action: !FindInMap
-              - PermissionMap
-              - AWSSupersededEC2Instances
-              - read
-            Resource: "*"
-  iamPolicyAWSSupersededEC2InstancesAction:
-    Type: "AWS::IAM::Policy"
-    Condition: CreatePolicyAWSSupersededEC2InstancesAction
-    Properties:
-      PolicyName: !Join
-        - "_"
-        - - !Ref paramRoleName
-          - AWSSupersededEC2InstancesActionPermissionPolicy
-      Roles:
-        - !Ref iamRole
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action: !FindInMap
-              - PermissionMap
-              - AWSSupersededEC2Instances
-              - action
-            Resource: "*"
-  ## AWS Superseded EC2 Instances
   iamPolicyAWSSupersededEC2InstancesRead:
     Type: "AWS::IAM::Policy"
     Condition: CreatePolicyAWSSupersededEC2InstancesRead
diff --git a/tools/policy_master_permission_generation/validated_policy_templates.yaml b/tools/policy_master_permission_generation/validated_policy_templates.yaml
index b47d47512f..6fc85f711b 100644
--- a/tools/policy_master_permission_generation/validated_policy_templates.yaml
+++ b/tools/policy_master_permission_generation/validated_policy_templates.yaml
@@ -29,7 +29,6 @@ validated_policy_templates:
 -  "./cost/aws/object_storage_optimization/aws_object_storage_optimization.pt"
 -  "./cost/aws/old_snapshots/aws_delete_old_snapshots.pt"
 -  "./cost/aws/rds_instance_license_info/rds_instance_license_info.pt"
--  "./cost/aws/superseded_instances/aws_superseded_instances.pt"
 -  "./cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt"
 -  "./cost/aws/rightsize_elasticache/aws_rightsize_elasticache.pt"
 -  "./cost/aws/rightsize_rds_instances/aws_rightsize_rds_instances.pt"