As the master needs much more permissions (especially if we at some point enable more cloud functionality) it would be good to keep policies separate, similar to following:
https://github.com/kubernetes/kubernetes/tree/release-1.5/cluster/aws/templates/iam