AWS codepipeline documentation change
Summary
Added 'Service role permissions: Commands action' section with logging permissions policy
Security assessment
Documents CloudWatch Logs permissions for command execution monitoring as part of security best practices
Diff
diff --git a/codepipeline/latest/userguide/action-reference-Commands.md b/codepipeline/latest/userguide/action-reference-Commands.md index 4b9cd2d1e..c19d10f8e 100644 --- a/codepipeline/latest/userguide/action-reference-Commands.md +++ b/codepipeline/latest/userguide/action-reference-Commands.md @@ -5 +5 @@ -Considerations for the Commands actionService role policy permissionsAction typeConfiguration parametersInput artifactsOutput artifactsEnvironment variables Action declaration (example)See also +Considerations for the Commands actionService role policy permissionsAction typeConfiguration parametersInput artifactsOutput artifactsEnvironment variables Service role permissions: Commands actionAction declaration (example)See also @@ -34,0 +35,2 @@ The Commands action is only available for V2 type pipelines. + * Service role permissions: Commands action + @@ -216,0 +219,23 @@ The value for the key-value pair, such as `Production`. The value can be paramet +## Service role permissions: Commands action + +For Commands support, add the following to your policy statement: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": [ + "arn:aws:logs:{{region}}:{{customerAccountId}}:log-group:/aws/codepipeline/{{pipelineName}}", + "arn:aws:logs:{{region}}:{{customerAccountId}}:log-group:/aws/codepipeline/{{pipelineName}}:log-stream:*" + ] + } + ] + } +