AWS Security ChangesHomeSearch

AWS codepipeline documentation change

Service: codepipeline · 2025-03-30 · Documentation low

File: codepipeline/latest/userguide/action-reference-S3Deploy.md

Summary

Added 'Service role permissions: S3 deploy action' section with PutObject permissions and tagging requirements

Security assessment

Specifies secure deployment permissions but does not address a known security issue

Diff

diff --git a/codepipeline/latest/userguide/action-reference-S3Deploy.md b/codepipeline/latest/userguide/action-reference-S3Deploy.md
index fa58f0b96..6f7b20e5b 100644
--- a/codepipeline/latest/userguide/action-reference-S3Deploy.md
+++ b/codepipeline/latest/userguide/action-reference-S3Deploy.md
@@ -5 +5 @@
-Action typeConfiguration parameters Input artifactsOutput artifactsExample action configurationSee also
+Action typeConfiguration parameters Input artifactsOutput artifactsService role permissions: S3 deploy actionExample action configurationSee also
@@ -24,0 +25,2 @@ This reference topic describes the Amazon S3 deployment action for CodePipeline
+  * Service role permissions: S3 deploy action
+
@@ -117,0 +120,38 @@ The `CacheControl` parameter controls caching behavior for requests/responses fo
+## Service role permissions: S3 deploy action
+
+For S3 deploy action support, add the following to your policy statement:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:PutObject",
+            "s3:PutObjectAcl",
+            "s3:PutObjectVersionAcl",
+            "s3:GetBucketVersioning",
+            "s3:GetBucketAcl",
+            "s3:GetBucketLocation"
+          ],
+          "Resource": [
+            "arn:aws:s3:::[[s3DeployBuckets]]",
+            "arn:aws:s3:::[[s3DeployBuckets]]/*"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceAccount": "{{customerAccountId}}"
+            }
+          }
+        }
+      ]
+    }
+
+For the S3 deploy action support, if your S3 objects have tags, you must also add the following permissions to your policy statement:
+    
+    
+    "s3:GetObjectTagging",
+    "s3:GetObjectVersionTagging",
+    "s3:PutObjectTagging"
+