AWS Security ChangesHomeSearch

AWS codepipeline medium security documentation change

Service: codepipeline · 2025-04-28 · Security-related medium

File: codepipeline/latest/userguide/how-to-custom-role.md

Summary

Added S3 object tagging permissions and explanatory note

Security assessment

Added required S3 tagging permissions (PutObjectTagging, GetObjectTagging) to IAM policy documentation. Missing these permissions could lead to access failures for tagged S3 objects, impacting pipeline security. The change explicitly documents security-related permissions.

Diff

diff --git a/codepipeline/latest/userguide/how-to-custom-role.md b/codepipeline/latest/userguide/how-to-custom-role.md
index e47bc8920..2f568c7c1 100644
--- a//codepipeline/latest/userguide/how-to-custom-role.md
+++ b//codepipeline/latest/userguide/how-to-custom-role.md
@@ -53 +53,4 @@ The CodePipeline service role policy statement contains the minimum permissions
-            "s3:GetObjectVersion"
+            "s3:GetObjectVersion",
+            "s3:PutObjectTagging",
+            "s3:GetObjectTagging",
+            "s3:GetObjectVersionTagging"
@@ -66,0 +70,9 @@ The CodePipeline service role policy statement contains the minimum permissions
+###### Note
+
+In the policy, the following permissions are required when the S3 objects in your source bucket have tags in them: 
+    
+    
+    s3:PutObjectTagging
+    s3:GetObjectTagging
+    s3:GetObjectVersionTagging
+