ECR deployment role contains wildcard permissions

[kukushking]

ECRDeployment construct always adds a default policy (below) that contains wildcard permissions to the ECR deployment role, even if a custom role is passed to the construct. This unfortunately fails CDK-nag security checks, and requires suppression rules.

I would like to be able to implement least-privilege IAM policies i.e. limit IAM actions to the specific repo/s3 bucket arn.

If a custom role is passed, I expect as the default behavior to not have any additional policies added to the role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:PutImage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "s3:GetObject",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

[ndrpp]

Can't this be solved by putting a .withoutPolicyUpdates() after the role?
example:

   const ecrDeploy = new ecrdeploy.ECRDeployment(this, deploymentName, {
      src,
      dest,
      role: myRole.withoutPolicyUpdates()
    })