TL;DR CI/CD pipelines deploying to AWS need AWS Identity and Access Management (IAM) permissions to do their job, but giving them broad permissions creates the largest unmonitored attack surface in most organizations. The right pattern is: One repo, many roles. The repo is shared; the IAM role is per-environment, per-pipeline. Trust policies (not pipeline definitions) enforce who can deploy where. OIDC, not access keys. Both GitLab and GitHub federate to AWS via OIDC. No long-lived credentials in CI variables. Learning role in dev, Operations role in prod. Dev runs broad and observed; AWS CloudTrail records actual usage; IAM Access Analyzer generates a tight policy; that policy lives in code and ships to prod. Layer guardrails. Service control policies (SCPs) at the org level, permission boundaries on every role, identity policies for actual grants. Stack them so any single failure is contained. Treat IAM changes like code.…