Status: IN
The four IAM permissions needed to create a DAX service role (iam:CreateRole, iam:CreatePolicy, iam:AttachRolePolicy, iam:PassRole) are intentionally excluded from AWS managed DynamoDB policies to prevent privilege escalation.
Source: entries/2026/03/11/amazondynamodb-latest-developerguide-DAXcreate-clusterhtml.md