AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation medium

File: codepipeline/latest/userguide/action-reference-ECSbluegreen.md

Summary

Added 'Service role permissions: CodeDeployToECS action' section with IAM policy requirements for blue/green deployments, including CodeDeploy, ECS, and IAM permissions

Security assessment

Documents required IAM permissions for secure deployment configuration but does not indicate remediation of a specific vulnerability

Diff

diff --git a/codepipeline/latest/userguide/action-reference-ECSbluegreen.md b/codepipeline/latest/userguide/action-reference-ECSbluegreen.md
index f4c269597..f52a88ece 100644
--- a/codepipeline/latest/userguide/action-reference-ECSbluegreen.md
+++ b/codepipeline/latest/userguide/action-reference-ECSbluegreen.md
@@ -5 +5 @@
-Action typeConfiguration parameters Input artifactsOutput artifactsAction declarationSee also
+Action typeConfiguration parameters Input artifactsOutput artifactsService role permissions: CodeDeployToECS actionAction declarationSee also
@@ -28,0 +29,2 @@ This topic describes the Amazon ECS to CodeDeploy blue/green deployment action f
+  * Service role permissions: CodeDeployToECS action
+
@@ -140,0 +143,77 @@ For the value of the `TaskDefinition` field, the placeholder text must be <TASK_
+## Service role permissions: `CodeDeployToECS` action
+
+For the `CodeDeployToECS` action (blue/green deployments), the following are the minimum permissions needed to create pipelines with a CodeDeploy to Amazon ECS blue/green deployment action.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AllowCodeDeployDeploymentActions",
+          "Action": [
+            "codedeploy:CreateDeployment",
+            "codedeploy:GetDeployment"
+          ],
+          "Resource": [
+            "arn:aws:codedeploy:*:{{customerAccountId}}:deploymentgroup:[[ApplicationName]]/*"
+          ],
+          "Effect": "Allow"
+        },
+        {
+          "Sid": "AllowCodeDeployApplicationActions",
+          "Action": [
+            "codedeploy:GetApplication",
+            "codedeploy:GetApplicationRevision",
+            "codedeploy:RegisterApplicationRevision"
+          ],
+          "Resource": [
+            "arn:aws:codedeploy:*:{{customerAccountId}}:application:[[ApplicationName]]",
+            "arn:aws:codedeploy:*:{{customerAccountId}}:application:[[ApplicationName]]/*"
+          ],
+          "Effect": "Allow"
+        },
+        {
+          "Sid": "AllowCodeDeployDeploymentConfigAccess",
+          "Action": [
+            "codedeploy:GetDeploymentConfig"
+          ],
+          "Resource": [
+            "arn:aws:codedeploy:*:{{customerAccountId}}:deploymentconfig:*"
+          ],
+          "Effect": "Allow"
+        },
+        {
+          "Sid": "AllowECSRegisterTaskDefinition",
+          "Action": [
+            "ecs:RegisterTaskDefinition"
+          ],
+          "Resource": [
+            "*"
+          ],
+          "Effect": "Allow"
+        },
+        {
+          "Sid": "AllowPassRoleToECS",
+          "Effect": "Allow",
+          "Action": "iam:PassRole",
+          "Resource": [
+            "arn:aws:iam::{{customerAccountId}}:role/[[PassRoles]]"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "iam:PassedToService": [
+                "ecs.amazonaws.com",
+                "ecs-tasks.amazonaws.com"
+              ]
+            }
+          }
+        }
+      ]
+    }
+
+You can opt in to using tagging authorization in Amazon ECS. By opting in, you must grant the following permissions: `ecs:TagResource`. For more information about how to opt in and to determine whether the permission is required and tag authorization is enforced, see [Tagging authorization timeline](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#tag-resources-timeline) in the Amazon Elastic Container Service Developer Guide.
+
+You must also add the `iam:PassRole` permissions to use IAM roles for tasks. For more information, see [Amazon ECS task execution IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) and [IAM Roles for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html).
+
+You can also add `ecs-tasks.amazonaws.com` to the list of services under the `iam:PassedToService` condition, as shown in the above example.
+