Hi,
As a SaaS ISV selling a product on the AWS Marketplace, I decided to use the AWS Audit Manager continuous automated assessment documented in Step 4 here: https://docs.aws.amazon.com/marketplace/latest/userguide/vendor-insights-setting-up.html.
However, the stacks and stacksets that it references (Github repo) (associated with conformance pack "AWSVendorInsightsConformancePackv1") , create AWS resources that themselves violate the checks/postures embodied in the said automated assessment, creating a downward spiral of work that never reaches a finish line:
Another head-scratcher rule is "no inline policies" in IAM User, Roles, or Groups; when AWS's first-party configuration wizards routinely use this.
Please recall the AWSVendorInsightsConformancePackv1 scripts if they are so clearly unhelpful to a Marketplace ISV to reach any reasonable finish line.
Thanks,
Sid