AWS codepipeline documentation change
Summary
Added service role permissions section for Amazon ECS standard action with minimum required IAM policies and tagging authorization requirements
Security assessment
Documents security-related IAM permissions and tagging authorization requirements but does not address a specific disclosed vulnerability
Diff
diff --git a/codepipeline/latest/userguide/action-reference-ECS.md b/codepipeline/latest/userguide/action-reference-ECS.md index f885eed79..1b3d86e6f 100644 --- a/codepipeline/latest/userguide/action-reference-ECS.md +++ b/codepipeline/latest/userguide/action-reference-ECS.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsAction declarationSee also +Action typeConfiguration parameters Input artifactsOutput artifactsService role permissions: Amazon ECS standard actionAction declarationSee also @@ -30,0 +31,2 @@ This reference topic describes the Amazon ECS standard deployment action for Cod + * Service role permissions: Amazon ECS standard action + @@ -103,0 +106,66 @@ The action requires an existing image that has already been pushed to your image +## Service role permissions: Amazon ECS standard action + +For Amazon ECS, the following are the minimum permissions needed to create pipelines with an Amazon ECS deploy action. + + + { + "Version": "2012-10-17", + "Statement": [ + { "Sid": "TaskDefinitionPermissions", + "Effect": "Allow", + "Action": [ + "ecs:DescribeTaskDefinition", + "ecs:RegisterTaskDefinition" + ], + "Resource": [ + "*" + ] + }, + { "Sid": "ECSServicePermissions", + "Effect": "Allow", + "Action": [ + "ecs:DescribeServices", + "ecs:UpdateService" + ], + "Resource": [ + "arn:aws:ecs:*:{{customerAccountId}}:service/[[clusters]]/*" + ] + }, + { "Sid": "ECSTagResource", + "Effect": "Allow", + "Action": [ + "ecs:TagResource" + ], + "Resource": [ + "arn:aws:ecs:*:{{customerAccountId}}:task-definition/[[taskDefinitions]]:*" + ], + "Condition": { + "StringEquals": { + "ecs:CreateAction": [ + "RegisterTaskDefinition" + ] + } + } + }, + { "Sid": "IamPassRolePermissions", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": [ + "arn:aws:iam::{{customerAccountId}}:role/[[passRoles]]" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs.amazonaws.com", + "ecs-tasks.amazonaws.com" + ] + } + } + } + ] + } + +You can opt in to using tagging authorization in Amazon ECS. By opting in, you must grant the following permissions: `ecs:TagResource`. For more information about how to opt in and to determine whether the permission is required and tag authorization is enforced, see [Tagging authorization timeline](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#tag-resources-timeline) in the Amazon Elastic Container Service Developer Guide. + +You must add the `iam:PassRole` permissions to use IAM roles for tasks. For more information, see [Amazon ECS task execution IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) and [IAM Roles for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html). Use the following policy text. +