AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation medium

File: codepipeline/latest/userguide/action-reference-InspectorScan.md

Summary

Added 'Service role permissions: InspectorScan action' section with required IAM policies for vulnerability scanning and CloudWatch logging

Security assessment

Provides security-related IAM policies for vulnerability scanning feature but no evidence of addressing a specific security incident

Diff

diff --git a/codepipeline/latest/userguide/action-reference-InspectorScan.md b/codepipeline/latest/userguide/action-reference-InspectorScan.md
index 4a0def284..73e43ec2a 100644
--- a/codepipeline/latest/userguide/action-reference-InspectorScan.md
+++ b/codepipeline/latest/userguide/action-reference-InspectorScan.md
@@ -5 +5 @@
-Action type IDConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationSee also
+Action type IDConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: InspectorScan actionAction declarationSee also
@@ -26,0 +27,2 @@ This action uses CodePipeline managed CodeBuild compute to run commands in a bui
+  * Service role permissions: InspectorScan action
+
@@ -126,0 +129,37 @@ The highest severity output from the scan. Valid values are `medium | high | cri
+## Service role permissions: `InspectorScan` action
+
+For the `InspectorScan` action support, add the following to your policy statement:
+    
+    
+    {
+            "Effect": "Allow",
+            "Action": "inspector-scan:ScanSbom",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:BatchGetImage",
+                "ecr:BatchCheckLayerAvailability"
+            ],
+            "Resource": "resource_ARN"
+        },
+
+In addition, if not already added for the Commands action, add the following permissions to your service role in order to view CloudWatch logs.
+    
+    
+    {
+        "Effect": "Allow",
+        "Action": [
+            "logs:CreateLogGroup",
+            "logs:CreateLogStream", 
+            "logs:PutLogEvents"
+        ],
+        "Resource": "resource_ARN"
+    },
+
+###### Note
+
+Scope down the permissions to the pipeline resource level by using resource-based permissions in the service role policy statement.
+
@@ -192 +231 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-AWS Device Farm test action reference
+Elastic Beanstalk deploy action reference