AWS codepipeline medium security documentation change
Summary
Updated policy conditions from StringLike to ArnLike for notifications
Security assessment
Changed notification resource conditions to use ArnLike instead of StringLike, improving specificity and reducing potential privilege escalation risks in policy examples.
Diff
diff --git a/codepipeline/latest/userguide/security-iam-id-policies-examples.md b/codepipeline/latest/userguide/security-iam-id-policies-examples.md index 3a18d1d83..bfb4948db 100644 --- a//codepipeline/latest/userguide/security-iam-id-policies-examples.md +++ b//codepipeline/latest/userguide/security-iam-id-policies-examples.md @@ -25,0 +26,6 @@ The following shows an example of a permissions policy that grants permissions t +JSON + + +**** + + @@ -44,0 +52,6 @@ The following example shows a policy in the 111222333444 account that allows use +JSON + + +**** + + @@ -106,2 +119,2 @@ The following example shows a policy in the 111222333444 account that allows use - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codepipeline:*" + "ArnLike": { + "codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*" @@ -117,0 +132,6 @@ After you create this policy, create the IAM role in the 111222333444 account an +JSON + + +**** + + @@ -133,0 +155,6 @@ The following example shows a policy created in the `111111111111` AWS account t +JSON + + +**** + +