AWS codepipeline documentation change
Summary
Added new section specifying minimum required permissions for StepFunctions actions with example IAM policy
Security assessment
Documents least-privilege permissions for StepFunctions integration but does not address a specific security incident
Diff
diff --git a/codepipeline/latest/userguide/action-reference-StepFunctions.md b/codepipeline/latest/userguide/action-reference-StepFunctions.md index 88098dec7..fafcf26aa 100644 --- a/codepipeline/latest/userguide/action-reference-StepFunctions.md +++ b/codepipeline/latest/userguide/action-reference-StepFunctions.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesExample action configurationBehaviorSee also +Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: StepFunctions actionExample action configurationBehaviorSee also @@ -135,0 +136,15 @@ The ARN of the execution of the state machine. Standard state machines only. +## Service role permissions: `StepFunctions` action + +For the `StepFunctions` action, the following are the minimum permissions needed to create pipelines with a Step Functions invoke action. + + + { + "Effect": "Allow", + "Action": [ + "states:DescribeStateMachine", + "states:DescribeExecution", + "states:StartExecution" + ], + "Resource": "resource_ARN" + }, +