AWS codepipeline documentation change
Summary
Added 'Service role permissions: InspectorScan action' section with required IAM policies for vulnerability scanning and CloudWatch logging
Security assessment
Provides security-related IAM policies for vulnerability scanning feature but no evidence of addressing a specific security incident
Diff
diff --git a/codepipeline/latest/userguide/action-reference-InspectorScan.md b/codepipeline/latest/userguide/action-reference-InspectorScan.md index 4a0def284..73e43ec2a 100644 --- a/codepipeline/latest/userguide/action-reference-InspectorScan.md +++ b/codepipeline/latest/userguide/action-reference-InspectorScan.md @@ -5 +5 @@ -Action type IDConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationSee also +Action type IDConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: InspectorScan actionAction declarationSee also @@ -26,0 +27,2 @@ This action uses CodePipeline managed CodeBuild compute to run commands in a bui + * Service role permissions: InspectorScan action + @@ -126,0 +129,37 @@ The highest severity output from the scan. Valid values are `medium | high | cri +## Service role permissions: `InspectorScan` action + +For the `InspectorScan` action support, add the following to your policy statement: + + + { + "Effect": "Allow", + "Action": "inspector-scan:ScanSbom", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ], + "Resource": "resource_ARN" + }, + +In addition, if not already added for the Commands action, add the following permissions to your service role in order to view CloudWatch logs. + + + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "resource_ARN" + }, + +###### Note + +Scope down the permissions to the pipeline resource level by using resource-based permissions in the service role policy statement. + @@ -192 +231 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -AWS Device Farm test action reference +Elastic Beanstalk deploy action reference