aws.iam-policy - fetch only local policies by default

[ajkerrigan]

i do wonder if we want to do a follow up branch to default to only customer managed policies wrt to server side query.

I cannot comment for all users of this but I'm certainly filtering down to just my customer policies when I am running my policies. A default or some intuitive way to do this would be welcome.

Agreed - the Config source will fetch only local policies by default, that seems intuitive (and much more performant) for the Describe source too. Implementation-wise, it seems that we'd want to:

• Allow the policy to specify Scope to list_policies
• Default to Local

This feels similar to how we've handled the ClusterStates server-side filter for EMR. Perhaps we could handle this in a similar way?

Originally posted by @trastle in #6751 (comment)

[kapilt]

we can add the static query on to the enumeration as a simpler option, i'm just not clear what use cases there are for custodian on managed policies.

[ajkerrigan]

This is done (using the static query unless/until there's a need to support AWS-managed policies).