AWS codepipeline high security documentation change
Summary
Updated IAM policy examples with standardized account IDs (111122223333), added JSON section markers, and modified S3 bucket policies by removing encryption/SSL enforcement rules while adding CodeCommit permissions
Security assessment
The removal of 'DenyUnEncryptedObjectUploads' and 'DenyInsecureConnections' policies eliminates enforcement of server-side encryption and secure transport requirements for S3 buckets, which weakens security controls. This is direct evidence of reduced security posture in example policies.
Diff
diff --git a/codepipeline/latest/userguide/security_iam_id-based-policy-examples.md b/codepipeline/latest/userguide/security_iam_id-based-policy-examples.md index 58e9dfe7a..6db9a48fa 100644 --- a//codepipeline/latest/userguide/security_iam_id-based-policy-examples.md +++ b//codepipeline/latest/userguide/security_iam_id-based-policy-examples.md @@ -70,0 +71,6 @@ The following example grants permissions to get the state of the pipeline named +JSON + + +**** + + @@ -88,0 +96,6 @@ The following example grants permissions to disable and enable transitions betwe +JSON + + +**** + + @@ -112,0 +127,6 @@ The following example grants permissions to get a list of all available action t +JSON + + +**** + + @@ -130,0 +152,6 @@ The following example grants permissions to approve or reject manual approval ac +JSON + + +**** + + @@ -152,0 +181,6 @@ The job worker for a custom action might be configured under a different AWS acc +JSON + + +**** + + @@ -172,0 +208,6 @@ If you configure a pipeline to use Jenkins for build or test, create a separate +JSON + + +**** + + @@ -196,0 +239,6 @@ The following example shows a policy in the 80398EXAMPLE account that allows use +JSON + + +**** + + @@ -221 +269 @@ The following example shows a policy in the 80398EXAMPLE account that allows use - "Resource": "arn:aws:codepipeline:us-east-2:80398EXAMPLE:MyFirstPipeline" + "Resource": "arn:aws:codepipeline:us-east-2:111122223333:MyFirstPipeline" @@ -228,0 +278,6 @@ After you create this policy, create the IAM role in the 80398EXAMPLE account an +JSON + + +**** + + @@ -235,4 +290,4 @@ After you create this policy, create the IAM role in the 80398EXAMPLE account an - "Principal": { - "AWS": "arn:aws:iam::111111111111:root" - }, - "Action": "sts:AssumeRole" + "Action": "codecommit:GetRepository", + "Resource": [ + "arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo" + ] @@ -244,0 +301,6 @@ The following example shows a policy created in the `111111111111` AWS account t +JSON + + +**** + + @@ -252 +314 @@ The following example shows a policy created in the `111111111111` AWS account t - "Resource": "arn:aws:iam::80398EXAMPLE:role/CrossAccountPipelineViewers" + "Resource": "arn:aws:iam::111122223333:role/CrossAccountPipelineViewers" @@ -262,0 +326,6 @@ The following example shows a policy configured by AccountA for an S3 bucket use +JSON + + +**** + + @@ -266 +334,0 @@ The following example shows a policy configured by AccountA for an S3 bucket use - "Id": "SSEAndSSLPolicy", @@ -269,25 +336,0 @@ The following example shows a policy configured by AccountA for an S3 bucket use - "Sid": "DenyUnEncryptedObjectUploads", - "Effect": "Deny", - "Principal": "*", - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*", - "Condition": { - "StringNotEquals": { - "s3:x-amz-server-side-encryption": "aws:kms" - } - } - }, - { - "Sid": "DenyInsecureConnections", - "Effect": "Deny", - "Principal": "*", - "Action": "s3:*", - "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*", - "Condition": { - "Bool": { - "aws:SecureTransport": false - } - } - }, - { - "Sid": "", @@ -295,17 +338,4 @@ The following example shows a policy configured by AccountA for an S3 bucket use - "Principal": { - "AWS": "arn:aws:iam::012ID_ACCOUNT_B:root" - }, - "Action": [ - "s3:Get*", - "s3:Put*" - ], - "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*" - }, - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::012ID_ACCOUNT_B:root" - }, - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890" + "Action": "codecommit:GetRepository", + "Resource": [ + "arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo" + ] @@ -317,0 +349,6 @@ The following example shows a policy configured by AccountA that allows AccountB +JSON + + +**** + + @@ -325 +362 @@ The following example shows a policy configured by AccountA that allows AccountB - "arn:aws:iam::012ID_ACCOUNT_B:role/*" + "arn:aws:iam::111122223333:role/*" @@ -331,0 +370,6 @@ The following example shows a policy configured by AccountB and applied to the [ +JSON + + +**** + + @@ -342 +386 @@ The following example shows a policy configured by AccountB and applied to the [ - "arn:aws:s3:::codepipeline-us-east-2-1234567890/*" + "arn:aws:s3:::amzn-s3-demo-bucket/*" @@ -351 +395 @@ The following example shows a policy configured by AccountB and applied to the [ - "arn:aws:s3:::codepipeline-us-east-2-1234567890" + "arn:aws:s3:::amzn-s3-demo-bucket" @@ -358,0 +404,6 @@ The following example shows a policy for AWS KMS where ``arn:aws:kms:us-east-1:0 +JSON + + +**** + + @@ -373 +424 @@ The following example shows a policy for AWS KMS where ``arn:aws:kms:us-east-1:0 - "arn:aws:kms:us-east-1:012ID_ACCOUNT_A:key/2222222-3333333-4444-556677EXAMPLE" + "arn:aws:kms:us-east-1:111122223333:key/2222222-3333333-4444-556677EXAMPLE" @@ -380,0 +433,6 @@ The following example shows an inline policy for an IAM role (`CrossAccount_Role +JSON + + +**** + + @@ -400,0 +460,6 @@ The following example shows an inline policy for an IAM role (`CrossAccount_Role +JSON + + +**** + + @@ -413 +478 @@ The following example shows an inline policy for an IAM role (`CrossAccount_Role - "arn:aws:s3:::codepipeline-us-east-2-1234567890/*" + "arn:aws:s3:::amzn-s3-demo-bucket/*"