let prohibited_principals = [lambda.amazonaws.com, ec2.amazonaws.com]

    # Test comment
AWS::IAM::Role AssumeRolePolicyDocument.Statement.*.Principal.Service.* NOT_IN %prohibited_principals