AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2026-03-07 · Documentation medium

File: IAM/latest/UserGuide/reference_policies_condition-keys.md

Summary

Added documentation for new CodeBuild condition keys (codebuild:BuildArn and codebuild:ProjectArn) showing how to restrict access based on CodeBuild resources

Security assessment

This change adds documentation for new IAM condition keys that enable granular access control to CodeBuild resources. While this improves security posture by allowing least-privilege policies, there is no evidence of addressing a specific security vulnerability.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_condition-keys.md b/IAM/latest/UserGuide/reference_policies_condition-keys.md
index 9ecca254f..7e65872ae 100644
--- a//IAM/latest/UserGuide/reference_policies_condition-keys.md
+++ b//IAM/latest/UserGuide/reference_policies_condition-keys.md
@@ -33 +33 @@ Properties of the principal | Properties of a role session | Properties of the n
-`aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/tag-key` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` |  `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` |  `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpcArn` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` |  `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/tag-key` |  `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:CalledViaAWSMCP` `aws:ViaAWSService` `aws:ViaAWSMCPService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/tag-key` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` `aws:IsMcpServiceAction`  
+`aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/tag-key` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` |  `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `codebuild:BuildArn` `codebuild:ProjectArn` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` |  `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpcArn` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` |  `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/tag-key` |  `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:CalledViaAWSMCP` `aws:ViaAWSService` `aws:ViaAWSMCPService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/tag-key` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` `aws:IsMcpServiceAction`  
@@ -1006,0 +1007,62 @@ The following example adds a condition that is attached to an IAM role that is u
+### codebuild:BuildArn
+
+This key identifies the CodeBuild build ARN that IAM role credentials were delivered to. Use this key to verify whether a call to an AWS resource came from a specific CodeBuild build.
+
+###### Note
+
+The full value of `codebuild:BuildArn` is not known in advance because it contains the dynamically generated build ID.
+
+  * **Availability** – This key is included in the request context whenever a request is made by a role assumed by CodeBuild.
+
+  * **Data type** – [ARN](./reference_policies_elements_condition_operators.html#Conditions_ARN)
+
+  * **Value type** – Single-valued
+
+  * **Example value** – arn:aws:codebuild:us-east-1:123456789012:build/MyBuildProject:12345678-1234-1234-1234-123456789012
+
+
+
+
+The following example allows a specific CodeBuild build to have `s3:GetObject` access to the specified bucket.
+    
+    
+    {
+        "Effect": "Allow",
+        "Action": "s3:GetObject",
+        "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
+        "Condition": {
+            "ArnLike": {
+                "codebuild:BuildArn": "arn:aws:codebuild:us-east-1:123456789012:build/MyBuildProject:*"
+            }
+        }
+    }
+
+### codebuild:ProjectArn
+
+This key identifies the CodeBuild project ARN that IAM role credentials were delivered to an CodeBuild build. Use this key to verify whether a call to an AWS resource came from a specific CodeBuild project.
+
+  * **Availability** – This key is included in the request context whenever a request is made by a role assumed by CodeBuild.
+
+  * **Data type** – [ARN](./reference_policies_elements_condition_operators.html#Conditions_ARN)
+
+  * **Value type** – Single-valued
+
+  * **Example value** – arn:aws:codebuild:us-east-1:123456789012:project/MyBuildProject
+
+
+
+
+The following example allows any build from a specific CodeBuild project to have `s3:GetObject` access to the specified bucket.
+    
+    
+    {
+        "Effect": "Allow",
+        "Action": "s3:GetObject",
+        "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
+        "Condition": {
+            "ArnEquals": {
+                "codebuild:ProjectArn": "arn:aws:codebuild:us-east-1:123456789012:project/MyBuildProject"
+            }
+        }
+    }
+