AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation low

File: codepipeline/latest/userguide/action-reference-S3.md

Summary

Added 'Service role permissions: S3 source action' section with required S3 access policies including resource constraints

Security assessment

Documents secure S3 source access configuration without evidence of fixing a vulnerability

Diff

diff --git a/codepipeline/latest/userguide/action-reference-S3.md b/codepipeline/latest/userguide/action-reference-S3.md
index 97fef317b..b4bcd218f 100644
--- a/codepipeline/latest/userguide/action-reference-S3.md
+++ b/codepipeline/latest/userguide/action-reference-S3.md
@@ -5 +5 @@
-Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationSee also
+Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: S3 source actionAction declarationSee also
@@ -44,0 +45,2 @@ When Amazon S3 is the source provider for your pipeline, you may zip your source
+  * Service role permissions: S3 source action
+
@@ -174,0 +177,32 @@ The version ID for the version of the object related to the source change that t
+## Service role permissions: S3 source action
+
+For S3 source action support, add the following to your policy statement:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetObject",
+            "s3:GetObjectVersion",
+            "s3:GetBucketVersioning",
+            "s3:GetBucketAcl",
+            "s3:GetBucketLocation",
+            "s3:GetObjectTagging",
+            "s3:GetObjectVersionTagging"
+          ],
+          "Resource": [
+            "arn:aws:s3:::[[S3Bucket]]",
+            "arn:aws:s3:::[[S3Bucket]]/*"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceAccount": "{{customerAccountId}}"
+            }
+          }
+        }
+      ]
+    }
+