The PuppetRole created by the framework has the AdministratorAccess IAM managed policy attached to it. It is reccommended that you can define an IAM Permission Boundary for the PuppetRole for any production applications of this framework.
The IAM Permission Boundary you provide should permit the PuppetRole to interact with AWS Service Catalog to accept shares, manage portfolios and to add, provision and terminate products. In addition the IAM Role should allow the use of AWS SNS, AWS EventBridge, AWS OpsCenter if you are making use of those features.
In order to use an IAM Permission Boundary you will need to append the following to your commands:
There will be an example of this for each command in these how tos.