AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation low

File: codepipeline/latest/userguide/action-reference-Commands.md

Summary

Added 'Service role permissions: Commands action' section with logging permissions policy

Security assessment

Documents CloudWatch Logs permissions for command execution monitoring as part of security best practices

Diff

diff --git a/codepipeline/latest/userguide/action-reference-Commands.md b/codepipeline/latest/userguide/action-reference-Commands.md
index 4b9cd2d1e..c19d10f8e 100644
--- a/codepipeline/latest/userguide/action-reference-Commands.md
+++ b/codepipeline/latest/userguide/action-reference-Commands.md
@@ -5 +5 @@
-Considerations for the Commands actionService role policy permissionsAction typeConfiguration parametersInput artifactsOutput artifactsEnvironment variables Action declaration (example)See also
+Considerations for the Commands actionService role policy permissionsAction typeConfiguration parametersInput artifactsOutput artifactsEnvironment variables Service role permissions: Commands actionAction declaration (example)See also
@@ -34,0 +35,2 @@ The Commands action is only available for V2 type pipelines.
+  * Service role permissions: Commands action
+
@@ -216,0 +219,23 @@ The value for the key-value pair, such as `Production`. The value can be paramet
+## Service role permissions: Commands action
+
+For Commands support, add the following to your policy statement:
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents"
+                ],
+                "Resource": [
+                    "arn:aws:logs:{{region}}:{{customerAccountId}}:log-group:/aws/codepipeline/{{pipelineName}}",
+                    "arn:aws:logs:{{region}}:{{customerAccountId}}:log-group:/aws/codepipeline/{{pipelineName}}:log-stream:*"
+                ]
+            }
+        ]
+    }
+