A developer doesn't need admin access to the AWS console to install malware, bitcoin miners, etc. He just needs to have his code installed. The person who is deploying the developer's code installed is rarely going to code review the code before its installed. If my code has access to production when you deploy it, I can make it do anything I want and you would never know.