AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation medium

File: codepipeline/latest/userguide/action-reference-AppConfig.md

Summary

Added service role permissions section with required IAM policy for AppConfig actions

Security assessment

Documents required IAM permissions for secure access control, but does not indicate remediation of a specific security vulnerability. The change improves security documentation through least privilege guidance.

Diff

diff --git a/codepipeline/latest/userguide/action-reference-AppConfig.md b/codepipeline/latest/userguide/action-reference-AppConfig.md
index 6e6b64840..2bc7ed937 100644
--- a/codepipeline/latest/userguide/action-reference-AppConfig.md
+++ b/codepipeline/latest/userguide/action-reference-AppConfig.md
@@ -5 +5 @@
-Action typeConfiguration parameters Input artifactsOutput artifactsExample action configurationSee also
+Action typeConfiguration parameters Input artifactsOutput artifactsService role permissions: AppConfig actionExample action configurationSee also
@@ -75,0 +76,24 @@ Not applicable.
+## Service role permissions: `AppConfig` action
+
+When CodePipeline runs the action, the CodePipeline service role policy requires the following permissions, appropriately scoped down to the resource level in order to maintain access with least privilege.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+             {
+                "Action": [
+                    "appconfig:StartDeployment",
+                    "appconfig:StopDeployment",
+                    "appconfig:GetDeployment"
+                ],
+                "Resource": [
+                 "arn:aws:appconfig:*:{{customerAccountId}}:application/[[Application]]",
+                 "arn:aws:appconfig:*:{{customerAccountId}}:application/[[Application]]/*",
+                 "arn:aws:appconfig:*:{{customerAccountId}}:deploymentstrategy/*"
+             ],
+                "Effect": "Allow"
+            }
+        ]
+    }
+