CodeBuild role has Administrator access which is quite dangerous.

[laurrentt]

Request

• Bug
• New Feature
• Refactor
• Question
• Documentation
• Tests
• Other

Details

I stumbled upon this piece of code https://github.com/stelligent/cloudformation_templates/blob/master/labs/codebuild/codebuild.yml#L194 while searching for reference how to create a proper CodeBuild service role. Giving a role arn:aws:iam::aws:policy/AdministratorAccess is a terrible security practice, even for example code. A malicious pull request could alter the buildspec.yml and access the whole AWS account.