Do I need to add an IAM policy and user for Cloud Custodian?

Follow

No. Using Cloud Custodian with Kion does not require an IAM policy or user. Kion's compliance engine leverages the existing service user and service role, so Cloud Custodian is built in.