Should the AdministratorAccess Managed Policy count?

[bwhaley]

I notice that check 1.24 searches only locally scoped policies. I agree that this seems to satisfy the intent of the requirement, which states:

Ensure IAM policies that allow full ":" administrative privileges are not created

(emphasis on the not created).

However, the audit step doesn't say anything about local scope, and if one didn't include local scope, this requirement would not be achievable as the admin managed policy cannot be deleted. At at minimum, it does seem like the admin policy shouldn't be attached for the requirement to be satisfied. This is currently skipped in the audit.

What are your thoughts?