AWS codepipeline documentation change
Summary
Added 'Service role permissions: S3 deploy action' section with PutObject permissions and tagging requirements
Security assessment
Specifies secure deployment permissions but does not address a known security issue
Diff
diff --git a/codepipeline/latest/userguide/action-reference-S3Deploy.md b/codepipeline/latest/userguide/action-reference-S3Deploy.md index fa58f0b96..6f7b20e5b 100644 --- a/codepipeline/latest/userguide/action-reference-S3Deploy.md +++ b/codepipeline/latest/userguide/action-reference-S3Deploy.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsExample action configurationSee also +Action typeConfiguration parameters Input artifactsOutput artifactsService role permissions: S3 deploy actionExample action configurationSee also @@ -24,0 +25,2 @@ This reference topic describes the Amazon S3 deployment action for CodePipeline + * Service role permissions: S3 deploy action + @@ -117,0 +120,38 @@ The `CacheControl` parameter controls caching behavior for requests/responses fo +## Service role permissions: S3 deploy action + +For S3 deploy action support, add the following to your policy statement: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutObjectVersionAcl", + "s3:GetBucketVersioning", + "s3:GetBucketAcl", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::[[s3DeployBuckets]]", + "arn:aws:s3:::[[s3DeployBuckets]]/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "{{customerAccountId}}" + } + } + } + ] + } + +For the S3 deploy action support, if your S3 objects have tags, you must also add the following permissions to your policy statement: + + + "s3:GetObjectTagging", + "s3:GetObjectVersionTagging", + "s3:PutObjectTagging" +