AWS codepipeline documentation change
Summary
Added service role permissions section with required IAM policy for AppConfig actions
Security assessment
Documents required IAM permissions for secure access control, but does not indicate remediation of a specific security vulnerability. The change improves security documentation through least privilege guidance.
Diff
diff --git a/codepipeline/latest/userguide/action-reference-AppConfig.md b/codepipeline/latest/userguide/action-reference-AppConfig.md index 6e6b64840..2bc7ed937 100644 --- a/codepipeline/latest/userguide/action-reference-AppConfig.md +++ b/codepipeline/latest/userguide/action-reference-AppConfig.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsExample action configurationSee also +Action typeConfiguration parameters Input artifactsOutput artifactsService role permissions: AppConfig actionExample action configurationSee also @@ -75,0 +76,24 @@ Not applicable. +## Service role permissions: `AppConfig` action + +When CodePipeline runs the action, the CodePipeline service role policy requires the following permissions, appropriately scoped down to the resource level in order to maintain access with least privilege. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "appconfig:StartDeployment", + "appconfig:StopDeployment", + "appconfig:GetDeployment" + ], + "Resource": [ + "arn:aws:appconfig:*:{{customerAccountId}}:application/[[Application]]", + "arn:aws:appconfig:*:{{customerAccountId}}:application/[[Application]]/*", + "arn:aws:appconfig:*:{{customerAccountId}}:deploymentstrategy/*" + ], + "Effect": "Allow" + } + ] + } +