{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RequirePermissionsBoundary",
            "Effect": "Allow",
            "Action": [
                "iam:DetachRolePolicy",
                "iam:CreateRole",
                "iam:AttachRolePolicy"
            ],
            "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*",
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::${account}:policy/$${aws:PrincipalTag/IAM:PermissionsBoundary}"
                }
            }
        },
        {
            "Sid": "DeleteAppropriatelyNamedRole",
            "Effect": "Allow",
            "Action": "iam:DeleteRole",
            "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*"
        },
        {
            "Sid": "ModifyAppropriatelyNamedPolicies",
            "Effect": "Allow",
            "Action": [
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion"
            ],
            "Resource": "arn:aws:iam::${account}:policy/$${aws:PrincipalTag/IAM:NamePrefix}**"
        },
        {
            "Sid": "AdditionalUsefulAccessTODO",
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*",
                "iam:GenerateServiceLastAccessedDetails"
            ],
            "Resource": "*"
        }
    ]
}