AWS codepipeline documentation change
Summary
Added 'Service role permissions: CodeDeployToECS action' section with IAM policy requirements for blue/green deployments, including CodeDeploy, ECS, and IAM permissions
Security assessment
Documents required IAM permissions for secure deployment configuration but does not indicate remediation of a specific vulnerability
Diff
diff --git a/codepipeline/latest/userguide/action-reference-ECSbluegreen.md b/codepipeline/latest/userguide/action-reference-ECSbluegreen.md index f4c269597..f52a88ece 100644 --- a/codepipeline/latest/userguide/action-reference-ECSbluegreen.md +++ b/codepipeline/latest/userguide/action-reference-ECSbluegreen.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsAction declarationSee also +Action typeConfiguration parameters Input artifactsOutput artifactsService role permissions: CodeDeployToECS actionAction declarationSee also @@ -28,0 +29,2 @@ This topic describes the Amazon ECS to CodeDeploy blue/green deployment action f + * Service role permissions: CodeDeployToECS action + @@ -140,0 +143,77 @@ For the value of the `TaskDefinition` field, the placeholder text must be <TASK_ +## Service role permissions: `CodeDeployToECS` action + +For the `CodeDeployToECS` action (blue/green deployments), the following are the minimum permissions needed to create pipelines with a CodeDeploy to Amazon ECS blue/green deployment action. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowCodeDeployDeploymentActions", + "Action": [ + "codedeploy:CreateDeployment", + "codedeploy:GetDeployment" + ], + "Resource": [ + "arn:aws:codedeploy:*:{{customerAccountId}}:deploymentgroup:[[ApplicationName]]/*" + ], + "Effect": "Allow" + }, + { + "Sid": "AllowCodeDeployApplicationActions", + "Action": [ + "codedeploy:GetApplication", + "codedeploy:GetApplicationRevision", + "codedeploy:RegisterApplicationRevision" + ], + "Resource": [ + "arn:aws:codedeploy:*:{{customerAccountId}}:application:[[ApplicationName]]", + "arn:aws:codedeploy:*:{{customerAccountId}}:application:[[ApplicationName]]/*" + ], + "Effect": "Allow" + }, + { + "Sid": "AllowCodeDeployDeploymentConfigAccess", + "Action": [ + "codedeploy:GetDeploymentConfig" + ], + "Resource": [ + "arn:aws:codedeploy:*:{{customerAccountId}}:deploymentconfig:*" + ], + "Effect": "Allow" + }, + { + "Sid": "AllowECSRegisterTaskDefinition", + "Action": [ + "ecs:RegisterTaskDefinition" + ], + "Resource": [ + "*" + ], + "Effect": "Allow" + }, + { + "Sid": "AllowPassRoleToECS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": [ + "arn:aws:iam::{{customerAccountId}}:role/[[PassRoles]]" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ecs.amazonaws.com", + "ecs-tasks.amazonaws.com" + ] + } + } + } + ] + } + +You can opt in to using tagging authorization in Amazon ECS. By opting in, you must grant the following permissions: `ecs:TagResource`. For more information about how to opt in and to determine whether the permission is required and tag authorization is enforced, see [Tagging authorization timeline](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#tag-resources-timeline) in the Amazon Elastic Container Service Developer Guide. + +You must also add the `iam:PassRole` permissions to use IAM roles for tasks. For more information, see [Amazon ECS task execution IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) and [IAM Roles for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html). + +You can also add `ecs-tasks.amazonaws.com` to the list of services under the `iam:PassedToService` condition, as shown in the above example. +