Validate IAM policies

[rclark]

Right now, template validation will accept a template with IAM policies that are completely invalid. It could be interesting to try mixing in calls to iam.simulateCustomPolicy() with template validation. The goal wouldn't be to actually test that the policies provide some permission, but just that if you provide this API with a policy that contains invalid syntax, it will fail.

This could help prevent the horrible cycle of deploy-fail-debug-deploy that plagues everyone from time to time.