AWS codepipeline medium security documentation change
Summary
Added S3 object tagging permissions and explanatory note
Security assessment
Added required S3 tagging permissions (PutObjectTagging, GetObjectTagging) to IAM policy documentation. Missing these permissions could lead to access failures for tagged S3 objects, impacting pipeline security. The change explicitly documents security-related permissions.
Diff
diff --git a/codepipeline/latest/userguide/how-to-custom-role.md b/codepipeline/latest/userguide/how-to-custom-role.md index e47bc8920..2f568c7c1 100644 --- a//codepipeline/latest/userguide/how-to-custom-role.md +++ b//codepipeline/latest/userguide/how-to-custom-role.md @@ -53 +53,4 @@ The CodePipeline service role policy statement contains the minimum permissions - "s3:GetObjectVersion" + "s3:GetObjectVersion", + "s3:PutObjectTagging", + "s3:GetObjectTagging", + "s3:GetObjectVersionTagging" @@ -66,0 +70,9 @@ The CodePipeline service role policy statement contains the minimum permissions +###### Note + +In the policy, the following permissions are required when the S3 objects in your source bucket have tags in them: + + + s3:PutObjectTagging + s3:GetObjectTagging + s3:GetObjectVersionTagging +