AWS codepipeline high security documentation change
Summary
Removed detailed CloudFormation template configuration including S3 bucket policies enforcing encryption and secure transport, IAM role policies, and pipeline/event resources. Added placeholder JSON blocks and AppConfig-related permissions.
Security assessment
The removed S3 bucket policies ('DenyUnEncryptedObjectUploads' and 'DenyInsecureConnections') were explicit security controls enforcing KMS encryption and HTTPS connections. Their removal from the documentation example could lead users to deploy less secure configurations. The change weakens security guidance by omitting these protections.
Diff
diff --git a/codepipeline/latest/userguide/create-S3-source-events-cfn.md b/codepipeline/latest/userguide/create-S3-source-events-cfn.md index b3d5301d0..21f8c99f2 100644 --- a//codepipeline/latest/userguide/create-S3-source-events-cfn.md +++ b//codepipeline/latest/userguide/create-S3-source-events-cfn.md @@ -585,0 +586,8 @@ JSON +JSON + +JSON + + +**** + + @@ -588,119 +595,0 @@ JSON - "Parameters": { - "SourceObjectKey": { - "Description": "S3 source artifact", - "Type": "String", - "Default": "SampleApp_Linux.zip" - }, - "ApplicationName": { - "Description": "CodeDeploy application name", - "Type": "String", - "Default": "DemoApplication" - }, - "BetaFleet": { - "Description": "Fleet configured in CodeDeploy", - "Type": "String", - "Default": "DemoFleet" - } - }, - "Resources": { - "SourceBucket": { - "Type": "AWS::S3::Bucket", - "Properties": { - "NotificationConfiguration": { - "EventBridgeConfiguration": { - "EventBridgeEnabled": true - } - }, - "VersioningConfiguration": { - "Status": "Enabled" - } - } - }, - "CodePipelineArtifactStoreBucket": { - "Type": "AWS::S3::Bucket" - }, - "CodePipelineArtifactStoreBucketPolicy": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "CodePipelineArtifactStoreBucket" - }, - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyUnEncryptedObjectUploads", - "Effect": "Deny", - "Principal": "*", - "Action": "s3:PutObject", - "Resource": { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "CodePipelineArtifactStoreBucket", - "Arn" - ] - }, - "/*" - ] - ] - }, - "Condition": { - "StringNotEquals": { - "s3:x-amz-server-side-encryption": "aws:kms" - } - } - }, - { - "Sid": "DenyInsecureConnections", - "Effect": "Deny", - "Principal": "*", - "Action": "s3:*", - "Resource": { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "CodePipelineArtifactStoreBucket", - "Arn" - ] - }, - "/*" - ] - ] - }, - "Condition": { - "Bool": { - "aws:SecureTransport": false - } - } - } - ] - } - } - }, - "CodePipelineServiceRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "codepipeline.amazonaws.com" - ] - }, - "Action": "sts:AssumeRole" - } - ] - }, - "Path": "/", - "Policies": [ - { - "PolicyName": "AWS-CodePipeline-Service-3", - "PolicyDocument": { @@ -710,43 +598,0 @@ JSON - "Effect": "Allow", - "Action": [ - "codecommit:CancelUploadArchive", - "codecommit:GetBranch", - "codecommit:GetCommit", - "codecommit:GetUploadArchiveStatus", - "codecommit:UploadArchive" - ], - "Resource": "resource_ARN" - }, - { - "Effect": "Allow", - "Action": [ - "codedeploy:CreateDeployment", - "codedeploy:GetApplicationRevision", - "codedeploy:GetDeployment", - "codedeploy:GetDeploymentConfig", - "codedeploy:RegisterApplicationRevision" - ], - "Resource": "resource_ARN" - }, - { - "Effect": "Allow", - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild" - ], - "Resource": "resource_ARN" - }, - { - "Effect": "Allow", - "Action": [ - "devicefarm:ListProjects", - "devicefarm:ListDevicePools", - "devicefarm:GetRun", - "devicefarm:GetUpload", - "devicefarm:CreateUpload", - "devicefarm:ScheduleRun" - ], - "Resource": "resource_ARN" - }, - { - "Effect": "Allow", @@ -754,84 +600,3 @@ JSON - "lambda:InvokeFunction", - "lambda:ListFunctions" - ], - "Resource": "resource_ARN" - }, - { - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "resource_ARN" - }, - { - "Effect": "Allow", - "Action": [ - "elasticbeanstalk:*", - "ec2:*", - "elasticloadbalancing:*", - "autoscaling:*", - "cloudwatch:*", - "s3:*", - "sns:*",