We recommend that you do not add policies to IAM roles that include permissions for IAM actions. The policy illustrated here is useful for IAM users in your own account, but should not be assigned to a role that can be assumed by users in another account or by a federated user.
Data Encryption Options
Your private encryption keys and your unencrypted data are never stored by AWS; therefore, it is important that you safely manage your encryption keys. If you lose them, you won't be able to decrypt your data.