AWS Security ChangesHomeSearch

AWS codepipeline high security documentation change

Service: codepipeline · 2025-08-19 · Security-related high

File: codepipeline/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Updated IAM policy examples with standardized account IDs (111122223333), added JSON section markers, and modified S3 bucket policies by removing encryption/SSL enforcement rules while adding CodeCommit permissions

Security assessment

The removal of 'DenyUnEncryptedObjectUploads' and 'DenyInsecureConnections' policies eliminates enforcement of server-side encryption and secure transport requirements for S3 buckets, which weakens security controls. This is direct evidence of reduced security posture in example policies.

Diff

diff --git a/codepipeline/latest/userguide/security_iam_id-based-policy-examples.md b/codepipeline/latest/userguide/security_iam_id-based-policy-examples.md
index 58e9dfe7a..6db9a48fa 100644
--- a//codepipeline/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//codepipeline/latest/userguide/security_iam_id-based-policy-examples.md
@@ -70,0 +71,6 @@ The following example grants permissions to get the state of the pipeline named
+JSON
+    
+
+****
+    
+    
@@ -88,0 +96,6 @@ The following example grants permissions to disable and enable transitions betwe
+JSON
+    
+
+****
+    
+    
@@ -112,0 +127,6 @@ The following example grants permissions to get a list of all available action t
+JSON
+    
+
+****
+    
+    
@@ -130,0 +152,6 @@ The following example grants permissions to approve or reject manual approval ac
+JSON
+    
+
+****
+    
+    
@@ -152,0 +181,6 @@ The job worker for a custom action might be configured under a different AWS acc
+JSON
+    
+
+****
+    
+    
@@ -172,0 +208,6 @@ If you configure a pipeline to use Jenkins for build or test, create a separate
+JSON
+    
+
+****
+    
+    
@@ -196,0 +239,6 @@ The following example shows a policy in the 80398EXAMPLE account that allows use
+JSON
+    
+
+****
+    
+    
@@ -221 +269 @@ The following example shows a policy in the 80398EXAMPLE account that allows use
-                "Resource": "arn:aws:codepipeline:us-east-2:80398EXAMPLE:MyFirstPipeline"
+                "Resource": "arn:aws:codepipeline:us-east-2:111122223333:MyFirstPipeline"
@@ -228,0 +278,6 @@ After you create this policy, create the IAM role in the 80398EXAMPLE account an
+JSON
+    
+
+****
+    
+    
@@ -235,4 +290,4 @@ After you create this policy, create the IAM role in the 80398EXAMPLE account an
-                "Principal": {
-                    "AWS": "arn:aws:iam::111111111111:root"
-                },
-                "Action": "sts:AssumeRole"
+                "Action": "codecommit:GetRepository",
+                "Resource": [
+                    "arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo"
+                ]
@@ -244,0 +301,6 @@ The following example shows a policy created in the `111111111111` AWS account t
+JSON
+    
+
+****
+    
+    
@@ -252 +314 @@ The following example shows a policy created in the `111111111111` AWS account t
-                "Resource": "arn:aws:iam::80398EXAMPLE:role/CrossAccountPipelineViewers"
+                "Resource": "arn:aws:iam::111122223333:role/CrossAccountPipelineViewers"
@@ -262,0 +326,6 @@ The following example shows a policy configured by AccountA for an S3 bucket use
+JSON
+    
+
+****
+    
+    
@@ -266 +334,0 @@ The following example shows a policy configured by AccountA for an S3 bucket use
-        "Id": "SSEAndSSLPolicy",
@@ -269,25 +336,0 @@ The following example shows a policy configured by AccountA for an S3 bucket use
-                "Sid": "DenyUnEncryptedObjectUploads",
-                "Effect": "Deny",
-                "Principal": "*",
-                "Action": "s3:PutObject",
-                "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*",
-                "Condition": {
-                    "StringNotEquals": {
-                        "s3:x-amz-server-side-encryption": "aws:kms"
-                    }
-                }
-            },
-            {
-                "Sid": "DenyInsecureConnections",
-                "Effect": "Deny",
-                "Principal": "*",
-                "Action": "s3:*",
-                "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*",
-                "Condition": {
-                    "Bool": {
-                        "aws:SecureTransport": false
-                    }
-                }
-            },
-            {
-                "Sid": "",
@@ -295,17 +338,4 @@ The following example shows a policy configured by AccountA for an S3 bucket use
-                "Principal": {
-                    "AWS": "arn:aws:iam::012ID_ACCOUNT_B:root"
-                },
-                "Action": [
-                    "s3:Get*",
-                    "s3:Put*"
-                ],
-                "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890/*"
-            },
-            {
-                "Sid": "",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "arn:aws:iam::012ID_ACCOUNT_B:root"
-                },
-                "Action": "s3:ListBucket",
-                "Resource": "arn:aws:s3:::codepipeline-us-east-2-1234567890"
+                "Action": "codecommit:GetRepository",
+                "Resource": [
+                    "arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo"
+                ]
@@ -317,0 +349,6 @@ The following example shows a policy configured by AccountA that allows AccountB
+JSON
+    
+
+****
+    
+    
@@ -325 +362 @@ The following example shows a policy configured by AccountA that allows AccountB
-                "arn:aws:iam::012ID_ACCOUNT_B:role/*"
+                "arn:aws:iam::111122223333:role/*"
@@ -331,0 +370,6 @@ The following example shows a policy configured by AccountB and applied to the [
+JSON
+    
+
+****
+    
+    
@@ -342 +386 @@ The following example shows a policy configured by AccountB and applied to the [
-                    "arn:aws:s3:::codepipeline-us-east-2-1234567890/*"
+                    "arn:aws:s3:::amzn-s3-demo-bucket/*"
@@ -351 +395 @@ The following example shows a policy configured by AccountB and applied to the [
-                    "arn:aws:s3:::codepipeline-us-east-2-1234567890"
+                    "arn:aws:s3:::amzn-s3-demo-bucket"
@@ -358,0 +404,6 @@ The following example shows a policy for AWS KMS where ``arn:aws:kms:us-east-1:0
+JSON
+    
+
+****
+    
+    
@@ -373 +424 @@ The following example shows a policy for AWS KMS where ``arn:aws:kms:us-east-1:0
-                    "arn:aws:kms:us-east-1:012ID_ACCOUNT_A:key/2222222-3333333-4444-556677EXAMPLE"
+                    "arn:aws:kms:us-east-1:111122223333:key/2222222-3333333-4444-556677EXAMPLE"
@@ -380,0 +433,6 @@ The following example shows an inline policy for an IAM role (`CrossAccount_Role
+JSON
+    
+
+****
+    
+    
@@ -400,0 +460,6 @@ The following example shows an inline policy for an IAM role (`CrossAccount_Role
+JSON
+    
+
+****
+    
+    
@@ -413 +478 @@ The following example shows an inline policy for an IAM role (`CrossAccount_Role
-                    "arn:aws:s3:::codepipeline-us-east-2-1234567890/*"
+                    "arn:aws:s3:::amzn-s3-demo-bucket/*"