AWS imagebuilder documentation change
Summary
Added documentation for new IAM policy permissions (imagebuilder:StartImagePipelineExecution and imagebuilder:TagResource) to support automated tagging of output images
Security assessment
This change documents updates to the Image Builder service role IAM policy to support automated image tagging. While IAM policies are security-related, there is no evidence in the diff that this addresses a specific security vulnerability. The change appears to be a feature enhancement for automated pipeline execution and resource tagging capabilities.
Diff
diff --git a/imagebuilder/latest/userguide/security-iam-awsmanpol.md b/imagebuilder/latest/userguide/security-iam-awsmanpol.md index 28e27eb57..d13cdbce6 100644 --- a//imagebuilder/latest/userguide/security-iam-awsmanpol.md +++ b//imagebuilder/latest/userguide/security-iam-awsmanpol.md @@ -84,0 +85,2 @@ Additionally, Image Builder can start, stop, and terminate instances that are ru + * **Image Builder** – Access is granted for Image Builder to automatically trigger pipelines on the user's behalf on a user-provided schedule and apply tags to the resulting images. Only used when the `imageTags` property is set on a pipeline and that pipeline is configured to run on a schedule. + @@ -215,0 +218,6 @@ Change | Description | Date +AWSServiceRoleForImageBuilder – Update to an existing policy | Image Builder made the following changes to the service role to support the automated tagging of output images when the `imageTags` property is set on a pipeline. + + * Added `imagebuilder:StartImagePipelineExecution` to allow Image Builder to trigger pipelines on the user's behalf on a user-provided schedule with the tags to be applied. + * Added `imagebuilder:TagResource` to allow Image Builder to tag output images from pipelines on the user's behalf. + +| March 18, 2026