IAM/S3/SQS/SNS mutation permissions are needed for ConsoleMe self-service and cross-account permission mutation to work, so that change may cause confusion. Perhaps we could add a read-only configuration for folks that aren't ready to deploy fully?

Agreed with @castrapel. I see three options here, in ascending order of work/involvement:

1. Remove the policy changes from this PR (the quickest way to get this change merged)
2. A read-only deployment option that uses the version of the policy in this PR
3. Update ConsoleMe to support distinct roles for logins vs mutation, such as ConsoleMeTrustRole and ConsoleMeManagementRole, with an option to not deploy the latter for read-only deployments

Hello both - thanks for the feedback. I fixed the CDK deployment while first exploring the project to get going - the second commit is naive on my part.

I've removed the IAM commit so the basic fix can be merged and potentially come back to options 2 and 3 when I understand the codebase better :)

@avishayil how does this look to you?