TL;DR I made Effective IAM Actions, a small tool to expand wildcards "*"in IAM Policy Actions so that you can see explicitly what permissions are granted by a policy. It supports multiple statements in each policy, Allow and Deny
The main problem is this: By using tags for authorisation, you have a multitude of completely new - per-service - actions that can be used to compromise your security posture.
CodeCommit access via federated credentials is the way to go. You're not using long-lived Access Keys are you? Bad engineer! Stop that! For better or worse, federated IAM access requires you to use the HTTPS endpoint with a git credential
I've been playing a lot with the Serverless framework since they moved from v0.x to v1 (which is currently in beta). I really like the direction they've taken it, and have been using it for my own projects. One