AWS Security ChangesHomeSearch

AWS codepipeline medium security documentation change

Service: codepipeline · 2025-03-10 · Security-related medium

File: codepipeline/latest/userguide/action-reference-EKS.md

Summary

Updated EKS action reference with cross-account guidance, parameter corrections, and IAM policy ARN restrictions

Security assessment

Changed IAM resource from wildcard ('eks:*') to specific ARN in example policy, addressing potential over-permission security risks through least privilege implementation.

Diff

diff --git a/codepipeline/latest/userguide/action-reference-EKS.md
index a62df145e..c329b52ce 100644
--- a/codepipeline/latest/userguide/action-reference-EKS.md
+++ b/codepipeline/latest/userguide/action-reference-EKS.md
@@ -7 +7 @@ Action typeConfiguration parameters Input artifactsOutput artifactsEnvironment v
-# Amazon Elastic Kubernetes Service `EKSDeploy` action reference
+# Amazon Elastic Kubernetes Service `EKS` deploy action reference
@@ -23 +23 @@ The EKS action supports both public and private EKS clusters. Private clusters a
-The EKS action is supported for cross-account or cross-Region actions.
+The EKS action is supported for cross-account actions. To add a cross-account EKS action, add `actionRoleArn` from your target account in the action declaration.
@@ -115 +115 @@ Required: No
-The variable namespace for the action.
+The kubernetes namepsace to be used in `kubectl` or `helm` commands.
@@ -124 +124 @@ The subnets for the VPC for your cluster. These are part of the same VPC that is
-**SecurityGroups**
+**SecurityGroupIds**
@@ -135 +135 @@ The security groups for the VPC for your cluster. These are part of the same VPC
-  * **Description:** The action looks for the Kubernetes manifest file or Helm chart in the source file repository for the pipeline. ).
+  * **Description:** The action looks for the Kubernetes manifest file or Helm chart in the source file repository for the pipeline).
@@ -226 +226 @@ In the service role policy statement, scope down the permissions to the resource
-                "Resource": "eks:"
+                "Resource": "arn:aws:eks:*:YOUR_AWS_ACCOUNT_ID:cluster/YOUR_CLUSTER_NAME"
@@ -241 +241 @@ In the service role policy statement, scope down the permissions to the resource
-                "Resource": "ec2:"
+                "Resource": "*"
@@ -250 +250 @@ In the service role policy statement, scope down the permissions to the resource
-                "Resource": "log:"
+                "Resource": [ "arn:aws:logs:*:YOUR_AWS_ACCOUNT_ID:log-group:/aws/codepipeline/YOUR_PIPELINE_NAME","arn:aws:logs:*:YOUR_AWS_ACCOUNT_ID:log-group:/aws/codepipeline/YOUR_PIPELINE_NAME:*"]