AWS codepipeline high security documentation change
Summary
Removed S3 bucket encryption/SSL enforcement policies and modified cross-account resource ARNs
Security assessment
Removal of 'DenyUnEncryptedObjectUploads' and 'DenyInsecureConnections' policies reduces security controls for S3 bucket configurations, potentially enabling insecure data transfers. Changed resource ARNs appear to be example updates rather than security improvements.
Diff
diff --git a/codepipeline/latest/userguide/pipelines-create-cross-account.md b/codepipeline/latest/userguide/pipelines-create-cross-account.md index 8c1a3a9c0..b14054f6c 100644 --- a//codepipeline/latest/userguide/pipelines-create-cross-account.md +++ b//codepipeline/latest/userguide/pipelines-create-cross-account.md @@ -142,0 +143,6 @@ In the following example, the ARN is for `AccountB` is `012ID_ACCOUNT_B`. The AR +JSON + + +**** + + @@ -145 +150,0 @@ In the following example, the ARN is for `AccountB` is `012ID_ACCOUNT_B`. The AR - "Id": "SSEAndSSLPolicy", @@ -148,25 +152,0 @@ In the following example, the ARN is for `AccountB` is `012ID_ACCOUNT_B`. The AR - "Sid": "DenyUnEncryptedObjectUploads", - "Effect": "Deny", - "Principal": "*", - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*", - "Condition": { - "StringNotEquals": { - "s3:x-amz-server-side-encryption": "aws:kms" - } - } - }, - { - "Sid": "DenyInsecureConnections", - "Effect": "Deny", - "Principal": "*", - "Action": "s3:*", - "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*", - "Condition": { - "Bool": { - "aws:SecureTransport": false - } - } - }, - { - "Sid": "", @@ -174,17 +154,4 @@ In the following example, the ARN is for `AccountB` is `012ID_ACCOUNT_B`. The AR - "Principal": { - "AWS": "arn:aws:iam::012ID_ACCOUNT_B:root" - }, - "Action": [ - "s3:Get*", - "s3:Put*" - ], - "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*" - }, - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::012ID_ACCOUNT_B:root" - }, - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890" + "Action": "codecommit:GetRepository", + "Resource": [ + "arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo" + ] @@ -213,0 +182,6 @@ In the following example, the ARN is for `AccountB` is `012ID_ACCOUNT_B`. The AR +JSON + + +**** + + @@ -220 +194 @@ In the following example, the ARN is for `AccountB` is `012ID_ACCOUNT_B`. The AR - "arn:aws:iam::012ID_ACCOUNT_B:role/*" + "arn:aws:iam::111122223333:role/*" @@ -260,0 +236,6 @@ These policies are specific to setting up CodeDeploy resources to be used in a p +JSON + + +**** + + @@ -270 +251 @@ These policies are specific to setting up CodeDeploy resources to be used in a p - "arn:aws:s3:::codepipeline-us-east-2-1234567890/*" + "arn:aws:s3:::amzn-s3-demo-bucket/*" @@ -279 +260 @@ These policies are specific to setting up CodeDeploy resources to be used in a p - "arn:aws:s3:::codepipeline-us-east-2-1234567890" + "arn:aws:s3:::amzn-s3-demo-bucket" @@ -290,0 +273,6 @@ These policies are specific to setting up CodeDeploy resources to be used in a p +JSON + + +**** + + @@ -304 +292 @@ These policies are specific to setting up CodeDeploy resources to be used in a p - "arn:aws:kms:us-east-1:012ID_ACCOUNT_A:key/2222222-3333333-4444-556677EXAMPLE" + "arn:aws:kms:us-east-1:111122223333:key/2222222-3333333-4444-556677EXAMPLE" @@ -348,0 +338,6 @@ This is not the policy you will use. You must choose a policy to complete the wi +JSON + + +**** + + @@ -373,0 +370,6 @@ This is not the policy you will use. You must choose a policy to complete the wi +JSON + + +**** + + @@ -385 +387 @@ This is not the policy you will use. You must choose a policy to complete the wi - "arn:aws:s3:::codepipeline-us-east-2-1234567890/*" + "arn:aws:s3:::amzn-s3-demo-bucket/*"