Restrict "iam:CreateRole" and "iam:CreatePolicy" to work for kinesis data stream creation only

Hello

I am trying to create a kinesis data stream with the management console and an account that is restricted to using several services including Kinesis Data Firehose.

I found that to complete the operation I need additional permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": ["arn:aws:logs:ap-southeast-2:548097210593:log-group:"] }, { "Effect": "Allow",
"Action": [ "iam:CreateRole" ], "Resource": ["arn:aws:iam::548097210593:role/service-role/"] },
{ "Effect": "Allow", "Action": [ "iam:CreatePolicy" ], "Resource": ["arn:aws:iam::548097210593:policy/service-role/"] }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:PassRole" ], "Resource": ["arn:aws:iam::548097210593:role/service-role/KinesisFirehoseServiceRole-"] } ] }

Is there a way to make "iam:CreateRole" and "iam:CreatePolicy" to be more selective and allow only during the creation of a kinesis data stream?

Note that I make it more specific about the resources for "iam:AttachRolePolicy" and "iam:PassRole" But the same does not work for "iam:CreateRole" and "iam:CreatePolicy". The Role and Policy do not exist at the moment the actions is performed so