AWS Security ChangesHomeSearch

AWS codepipeline high security documentation change

Service: codepipeline · 2025-04-11 · Security-related high

File: codepipeline/latest/userguide/pipelines-create-service-role-cli.md

Summary

Replaced inline policy JSON with guidance to use minimum service role policy and scope down permissions

Security assessment

Explicitly emphasizes least-privilege permissions and removes overly broad wildcard permissions in example policy, directly addressing security best practices.

Diff

diff --git a/codepipeline/latest/userguide/pipelines-create-service-role-cli.md b/codepipeline/latest/userguide/pipelines-create-service-role-cli.md
index ac933be20..34cb2e788 100644
--- a//codepipeline/latest/userguide/pipelines-create-service-role-cli.md
+++ b//codepipeline/latest/userguide/pipelines-create-service-role-cli.md
@@ -40 +40 @@ To save and exit the file, enter the following VIM command:
-  4. Paste the following JSON into the file. Make sure to scope down permissions as much as possible by adding the Amazon Resource Name (ARN) for your pipeline in the policy statement `Resource` field.
+  4. Paste the JSON policy into the file. Use the minimum service role policy as provided in [CodePipeline service role policy](./how-to-custom-role.html#how-to-custom-role-policy). In addition, add the appropriate permissions to your service role based on the actions you plan to use. For a list of actions and a link to each action's required service role permissions, see [Add permissions to the CodePipeline service role](./how-to-custom-role.html#how-to-update-role-new-services). 
@@ -42,79 +42 @@ To save and exit the file, enter the following VIM command:
-        {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "codecommit:CancelUploadArchive",
-            "codecommit:GetBranch",
-            "codecommit:GetCommit",
-            "codecommit:GetUploadArchiveStatus",
-            "codecommit:UploadArchive"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Effect": "Allow",
-          "Action": [
-            "codedeploy:CreateDeployment",
-            "codedeploy:GetApplicationRevision",
-            "codedeploy:GetDeployment",
-            "codedeploy:GetDeploymentConfig",
-            "codedeploy:RegisterApplicationRevision"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Effect": "Allow",
-          "Action": [
-            "codebuild:BatchGetBuilds",
-            "codebuild:StartBuild"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Effect": "Allow",
-          "Action": [
-            "devicefarm:ListProjects",
-            "devicefarm:ListDevicePools",
-            "devicefarm:GetRun",
-            "devicefarm:GetUpload",
-            "devicefarm:CreateUpload",
-            "devicefarm:ScheduleRun"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Effect": "Allow",
-          "Action": [
-            "lambda:InvokeFunction",
-            "lambda:ListFunctions"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Effect": "Allow",
-          "Action": [
-            "iam:PassRole"
-          ],
-          "Resource": "resource_ARN"
-        },
-        {
-          "Effect": "Allow",
-          "Action": [
-            "elasticbeanstalk:*",
-            "ec2:*",
-            "elasticloadbalancing:*",
-            "autoscaling:*",
-            "cloudwatch:*",
-            "s3:*",
-            "sns:*",
-            "cloudformation:*",
-            "rds:*",
-            "sqs:*",
-            "ecs:*"
-          ],
-          "Resource": "resource_ARN"
-        }
-      ]
-    }
+Make sure to scope down permissions as much as possible by scoping down to the resource level in the `Resource` field.