AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation medium

File: codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md

Summary

Added detailed service role permissions section for ECRBuildAndPublish action including required IAM policies for ECR/ECR Public operations and CloudWatch logging

Security assessment

The change adds documentation about required IAM permissions and security best practices (resource scoping) but does not indicate a response to a specific security vulnerability

Diff

diff --git a/codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md b/codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md
index c2af62ff0..574b4da73 100644
--- a/codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md
+++ b/codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md
@@ -5 +5 @@
-Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationSee also
+Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: ECRBuildAndPublish actionAction declarationSee also
@@ -34,0 +35,2 @@ This action is only available for V2 type pipelines.
+  * Service role permissions: ECRBuildAndPublish action
+
@@ -128,0 +131,74 @@ The name of the Amazon ECR repository where the image was pushed.
+## Service role permissions: `ECRBuildAndPublish` action
+
+For the `ECRBuildAndPublish` action support, add the following to your policy statement:
+    
+    
+    {
+        "Statement": [
+             {
+                "Sid": "ECRRepositoryAllResourcePolicy",
+                "Effect": "Allow",
+                "Action": [
+                    "ecr:DescribeRepositories",
+                    "ecr:GetAuthorizationToken",
+                    "ecr-public:DescribeRepositories",
+                    "ecr-public:GetAuthorizationToken"
+                ],
+            "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "ecr:GetAuthorizationToken",
+                    "ecr:InitiateLayerUpload",
+                    "ecr:UploadLayerPart",
+                    "ecr:CompleteLayerUpload",
+                    "ecr:PutImage",
+                    "ecr:GetDownloadUrlForLayer",
+                    "ecr:BatchCheckLayerAvailability"
+                ],
+                "Resource": "PrivateECR_Resource_ARN"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "ecr-public:GetAuthorizationToken",
+                    "ecr-public:DescribeRepositories",
+                    "ecr-public:InitiateLayerUpload",
+                    "ecr-public:UploadLayerPart",
+                    "ecr-public:CompleteLayerUpload",
+                    "ecr-public:PutImage",
+                    "ecr-public:BatchCheckLayerAvailability",
+                    "sts:GetServiceBearerToken"
+                ],
+                "Resource": "PublicECR_Resource_ARN"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "sts:GetServiceBearerToken"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+
+In addition, if not already added for the `Commands` action, add the following permissions to your service role in order to view CloudWatch logs.
+    
+    
+    {
+        "Effect": "Allow",
+        "Action": [
+            "logs:CreateLogGroup",
+            "logs:CreateLogStream", 
+            "logs:PutLogEvents"
+        ],
+        "Resource": "resource_ARN"
+    },
+
+###### Note
+
+Scope down the permissions to the pipeline resource level by using resource-based permissions in the service role policy statement.
+
+For more information about this action, see [ECRBuildAndPublish build action reference](./action-reference-ECRBuildAndPublish.html).
+