AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation medium

File: codepipeline/latest/userguide/action-reference-ECS.md

Summary

Added service role permissions section for Amazon ECS standard action with minimum required IAM policies and tagging authorization requirements

Security assessment

Documents security-related IAM permissions and tagging authorization requirements but does not address a specific disclosed vulnerability

Diff

diff --git a/codepipeline/latest/userguide/action-reference-ECS.md b/codepipeline/latest/userguide/action-reference-ECS.md
index f885eed79..1b3d86e6f 100644
--- a/codepipeline/latest/userguide/action-reference-ECS.md
+++ b/codepipeline/latest/userguide/action-reference-ECS.md
@@ -5 +5 @@
-Action typeConfiguration parameters Input artifactsOutput artifactsAction declarationSee also
+Action typeConfiguration parameters Input artifactsOutput artifactsService role permissions: Amazon ECS standard actionAction declarationSee also
@@ -30,0 +31,2 @@ This reference topic describes the Amazon ECS standard deployment action for Cod
+  * Service role permissions: Amazon ECS standard action
+
@@ -103,0 +106,66 @@ The action requires an existing image that has already been pushed to your image
+## Service role permissions: Amazon ECS standard action
+
+For Amazon ECS, the following are the minimum permissions needed to create pipelines with an Amazon ECS deploy action.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        { "Sid": "TaskDefinitionPermissions",
+          "Effect": "Allow",
+          "Action": [
+            "ecs:DescribeTaskDefinition",
+            "ecs:RegisterTaskDefinition"
+          ],
+          "Resource": [
+            "*"
+          ]
+        },
+        { "Sid": "ECSServicePermissions",
+          "Effect": "Allow",
+          "Action": [
+            "ecs:DescribeServices",
+            "ecs:UpdateService"
+          ],
+          "Resource": [
+            "arn:aws:ecs:*:{{customerAccountId}}:service/[[clusters]]/*"
+          ]
+        },
+        { "Sid": "ECSTagResource",
+          "Effect": "Allow",
+          "Action": [
+            "ecs:TagResource"
+          ],
+          "Resource": [
+            "arn:aws:ecs:*:{{customerAccountId}}:task-definition/[[taskDefinitions]]:*"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "ecs:CreateAction": [
+                "RegisterTaskDefinition"
+              ]
+            }
+          }
+        },
+        { "Sid": "IamPassRolePermissions",
+          "Effect": "Allow",
+          "Action": "iam:PassRole",
+          "Resource": [
+            "arn:aws:iam::{{customerAccountId}}:role/[[passRoles]]"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "iam:PassedToService": [
+                "ecs.amazonaws.com",
+                "ecs-tasks.amazonaws.com"
+              ]
+            }
+          }
+        }
+      ]
+    }
+
+You can opt in to using tagging authorization in Amazon ECS. By opting in, you must grant the following permissions: `ecs:TagResource`. For more information about how to opt in and to determine whether the permission is required and tag authorization is enforced, see [Tagging authorization timeline](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#tag-resources-timeline) in the Amazon Elastic Container Service Developer Guide.
+
+You must add the `iam:PassRole` permissions to use IAM roles for tasks. For more information, see [Amazon ECS task execution IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) and [IAM Roles for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html). Use the following policy text.
+