AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation medium

File: codepipeline/latest/userguide/action-reference-CloudFormation.md

Summary

Added detailed service role permissions section with IAM policy requirements for CloudFormation actions

Security assessment

Provides granular permission requirements for secure CloudFormation operations. While security-related, this appears to be proactive documentation improvement rather than addressing a known vulnerability.

Diff

diff --git a/codepipeline/latest/userguide/action-reference-CloudFormation.md b/codepipeline/latest/userguide/action-reference-CloudFormation.md
index e3c5a831c..697bc42d3 100644
--- a/codepipeline/latest/userguide/action-reference-CloudFormation.md
+++ b/codepipeline/latest/userguide/action-reference-CloudFormation.md
@@ -5 +5 @@
-Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationSee also
+Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: AWS CloudFormation actionAction declarationSee also
@@ -26,0 +27,2 @@ If you do not want the resource details surfaced in the pipeline error messages,
+  * Service role permissions: AWS CloudFormation action
+
@@ -264,0 +267,58 @@ For more information, see [Variables reference](./reference-variables.html). For
+## Service role permissions: AWS CloudFormation action
+
+When CodePipeline runs the action, the CodePipeline service role policy requires the following permissions, appropriately scoped down to the pipeline resource ARN in order to maintain access with least privilege. For example, add the following to your policy statement:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AllowCFNStackAccess",
+          "Effect": "Allow",
+          "Action": [
+            "cloudformation:CreateStack",
+            "cloudformation:UpdateStack",
+            "cloudformation:DeleteStack",
+            "cloudformation:DescribeStacks",
+            "cloudformation:DescribeStackResources",
+            "cloudformation:DescribeStackEvents",
+            "cloudformation:GetTemplate",
+            "cloudformation:DescribeChangeSet",
+            "cloudformation:CreateChangeSet",
+            "cloudformation:DeleteChangeSet",
+            "cloudformation:ExecuteChangeSet"
+          ],
+          "Resource": [
+            "arn:aws:cloudformation:*:{{customerAccountId}}:stack/[[cfnDeployStackNames]]/*"
+           ]
+        },
+        {
+          "Sid": "ValidateTemplate",
+          "Effect": "Allow",
+          "Action": [
+            "cloudformation:ValidateTemplate"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AllowIAMPassRole",
+          "Effect": "Allow",
+          "Action": [
+            "iam:PassRole"
+          ],
+          "Resource": [
+            "arn:aws:iam::{{customerAccountId}}:role/[[cfnExecutionRoles]]"
+          ],
+          "Condition": {
+            "StringEqualsIfExists": {
+              "iam:PassedToService": [
+                "cloudformation.amazonaws.com"
+              ]
+            }
+          }
+        }
+      ]
+    }
+
+Note that the `cloudformation:DescribeStackEvents` permission is optional. It allows the AWS CloudFormation action to show a more detailed error message. This permission can be revoked from the IAM role if you don't want resource details surfaced in the pipeline error messages.
+