I would like to propose following changes to tighten IAM policies. None of these changes should have any noticeable effect.
Current S3 state bucket policy does not actually do anything because the bucket and principals accessing it are in the same account, so effective permissions are granted by identity policy and not the bucket policy. Removing it simply reduces the amount of policies that need to be audited.
Adding "aws:SourceArn" helps mitigate confused deputy attacks. We explicitly specify resources that can assume that role.
Adding permissions to OrgBuildRole helps CodeBuild to continue running successfully even if AdministratorAccess access policy is removed from that role.
I would like to propose following changes to tighten IAM policies. None of these changes should have any noticeable effect.