Capabilities that affect whether CloudFormation is allowed to change IAM resources.
Capability to create anonymous IAM resources.
Pass this capability if you’re only creating anonymous resources.
Capability to run CloudFormation macros.
Pass this capability if your template includes macros, for example AWS::Include or AWS::Serverless.
Capability to create named IAM resources.
Pass this capability if you’re creating IAM resources that have physical names.
CloudFormationCapabilities.IAM; you don’t have to pass both.
No IAM Capabilities.
Pass this capability if you wish to block the creation IAM resources.