AWS Security ChangesHomeSearch

AWS imagebuilder documentation change

Service: imagebuilder · 2026-04-10 · Documentation medium

File: imagebuilder/latest/userguide/security-iam-awsmanpol.md

Summary

Added documentation for new IAM policy permissions (imagebuilder:StartImagePipelineExecution and imagebuilder:TagResource) to support automated tagging of output images

Security assessment

This change documents updates to the Image Builder service role IAM policy to support automated image tagging. While IAM policies are security-related, there is no evidence in the diff that this addresses a specific security vulnerability. The change appears to be a feature enhancement for automated pipeline execution and resource tagging capabilities.

Diff

diff --git a/imagebuilder/latest/userguide/security-iam-awsmanpol.md b/imagebuilder/latest/userguide/security-iam-awsmanpol.md
index 28e27eb57..d13cdbce6 100644
--- a//imagebuilder/latest/userguide/security-iam-awsmanpol.md
+++ b//imagebuilder/latest/userguide/security-iam-awsmanpol.md
@@ -84,0 +85,2 @@ Additionally, Image Builder can start, stop, and terminate instances that are ru
+  * **Image Builder** – Access is granted for Image Builder to automatically trigger pipelines on the user's behalf on a user-provided schedule and apply tags to the resulting images. Only used when the `imageTags` property is set on a pipeline and that pipeline is configured to run on a schedule.
+
@@ -215,0 +218,6 @@ Change | Description | Date
+AWSServiceRoleForImageBuilder – Update to an existing policy |  Image Builder made the following changes to the service role to support the automated tagging of output images when the `imageTags` property is set on a pipeline.
+
+  * Added `imagebuilder:StartImagePipelineExecution` to allow Image Builder to trigger pipelines on the user's behalf on a user-provided schedule with the tags to be applied.
+  * Added `imagebuilder:TagResource` to allow Image Builder to tag output images from pipelines on the user's behalf.
+
+| March 18, 2026