AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation medium

File: codepipeline/latest/userguide/action-reference-CodeBuild.md

Summary

Added service role permissions section with required IAM policy for CodeBuild actions

Security assessment

Documents necessary permissions for CodeBuild integration but does not indicate resolution of a security flaw. The change enhances security documentation through explicit access control guidance.

Diff

diff --git a/codepipeline/latest/userguide/action-reference-CodeBuild.md b/codepipeline/latest/userguide/action-reference-CodeBuild.md
index 97e1b0f60..702559934 100644
--- a/codepipeline/latest/userguide/action-reference-CodeBuild.md
+++ b/codepipeline/latest/userguide/action-reference-CodeBuild.md
@@ -5 +5 @@
-Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declaration (CodeBuild example)See also
+Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: CodeBuild actionAction declaration (CodeBuild example)See also
@@ -24,0 +25,2 @@ When you use the CodePipeline wizard in the console to create a build project, t
+  * Service role permissions: CodeBuild action
+
@@ -166,0 +169,23 @@ For more information about using CodeBuild environment variables in CodePipeline
+## Service role permissions: CodeBuild action
+
+For CodeBuild support, add the following to your policy statement:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "codebuild:BatchGetBuilds",
+            "codebuild:StartBuild",
+            "codebuild:BatchGetBuildBatches",
+            "codebuild:StartBuildBatch"
+          ],
+          "Resource": [
+            "arn:aws:codebuild:*:{{customerAccountId}}:project/[[ProjectName]]"
+          ],
+          "Effect": "Allow"
+        }
+      ]
+    }
+