[Security Concern] cdkExec Role and Environment roles contains policies which pose broader attack radius

[TejasRGitHub]

Is your idea related to a problem? Please describe. While onboarding / linking an external account to data.all as an Environment, CDK trust has to be established which creates a cdkExecPolicy which has broader iam permissions to create, delete, etc any role in that environment account.

Similarly when an environment is created, the environment stack creates service policies which also have broader permissions.

This is a concern for anyone who is onboarding their aws account to data.all that if an attacker is able to assume theses roles then they could ultimately create a super role(s) with admin permissions and could easily gain control over the aws account.

Describe the solution you'd like Restrict iam permissions of these roles so that they can only operate within the boundary of data.all assets , they can only create roles which are related to data.all and they have access to only role which are data.all.

This issue of overly broad permissions is captured by the Checkov results here - https://github.com/data-dot-all/dataall/issues/1524 , https://github.com/data-dot-all/dataall/issues/1610 P.S. Don't attach files. Please, prefer add code snippets directly in the message body.