AWS imagebuilder documentation change
Summary
Added permissions for SSM Parameter Store access in service role policy
Security assessment
Explicitly documents new ssm:GetParameter and ssm:PutParameter permissions required for secure parameter management. This clarifies security controls but does not indicate remediation of a vulnerability.
Diff
diff --git a/imagebuilder/latest/userguide/security-iam-awsmanpol.md b/imagebuilder/latest/userguide/security-iam-awsmanpol.md index 7ff16d64c..058c06f5a 100644 --- a//imagebuilder/latest/userguide/security-iam-awsmanpol.md +++ b//imagebuilder/latest/userguide/security-iam-awsmanpol.md @@ -98,0 +99,2 @@ Image Builder is also able to create or delete State Manager associations for an +Image Builder is able to read public Parameter Store Parameters, and read and update private Parameters prefixed with `ImageBuilder-` so that it can update the Parameter value with the output AMI IDs that Image Builder creates from a new build. + @@ -213,0 +216,6 @@ Change | Description | Date +AWSServiceRoleForImageBuilder – Update to an existing policy | Image Builder made the following changes to the service role to support the use of AWS Systems Manager (SSM) Parameter Store Parameters in recipes and during image distribution. + + * Added ssm:GetParameter to allow Image Builder to read public SSM Parameters and private SSM Parameters prefixed with `ImageBuilder-` so that they can be used in recipes. + * Added ssm:PutParameter to allow Image Builder to update private SSM Parameters prefixed with `ImageBuilder-` with the output AMI IDs that Image Builder creates from a new build. + +| April 30, 2025