AWS codepipeline documentation change
Summary
Added 'Service role permissions: S3 source action' section with required S3 access policies including resource constraints
Security assessment
Documents secure S3 source access configuration without evidence of fixing a vulnerability
Diff
diff --git a/codepipeline/latest/userguide/action-reference-S3.md b/codepipeline/latest/userguide/action-reference-S3.md index 97fef317b..b4bcd218f 100644 --- a/codepipeline/latest/userguide/action-reference-S3.md +++ b/codepipeline/latest/userguide/action-reference-S3.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationSee also +Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: S3 source actionAction declarationSee also @@ -44,0 +45,2 @@ When Amazon S3 is the source provider for your pipeline, you may zip your source + * Service role permissions: S3 source action + @@ -174,0 +177,32 @@ The version ID for the version of the object related to the source change that t +## Service role permissions: S3 source action + +For S3 source action support, add the following to your policy statement: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketVersioning", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetObjectTagging", + "s3:GetObjectVersionTagging" + ], + "Resource": [ + "arn:aws:s3:::[[S3Bucket]]", + "arn:aws:s3:::[[S3Bucket]]/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "{{customerAccountId}}" + } + } + } + ] + } +