I want to be able to give my admin users the permission to create policies in IAM, but I want to make sure that they aren't able to create a policy that affects a specific resource.
To be more specific, these admin users are currently in a user group with a policy that gives them full S3 access except for a specific S3 bucket (in this case, it's a bucket that contains CloudTrail logs). They are also in another user group that gives them full access to IAM, which means it would be easy enough for them to create/edit this S3 policy to give themselves access to that bucket again. Is there a way to do what I'm trying to do, or perhaps a better way to set this up?