AWS imagebuilder documentation change
Summary
Added IAM role security recommendations advising against using service-linked roles and recommending custom roles with specific policies
Security assessment
The change provides security best practices for IAM role configuration but doesn't indicate any specific vulnerability being patched. It improves security documentation by emphasizing least-privilege principles without referencing a security incident.
Diff
diff --git a/imagebuilder/latest/userguide/cr-upd-ami-distribution-settings.md b/imagebuilder/latest/userguide/cr-upd-ami-distribution-settings.md index b74fdb7da..9c2d6bf29 100644 --- a//imagebuilder/latest/userguide/cr-upd-ami-distribution-settings.md +++ b//imagebuilder/latest/userguide/cr-upd-ami-distribution-settings.md @@ -49,0 +50,4 @@ When you create a pipeline or use the create-image command in the AWS CLI, you c +###### Important + +We recommend that you don't pass the [AWSServiceRoleForImageBuilder](./security-iam-awsmanpol.html#sec-iam-manpol-AWSServiceRoleForImageBuilder) service-linked role as your execution role. Instead, create a custom IAM role and attach the [EC2ImageBuilderExecutionPolicy](./security-iam-awsmanpol.html#sec-iam-manpol-EC2ImageBuilderExecutionPolicy) AWS managed policy. This policy grants the same permissions that Image Builder needs to call AWS services on your behalf. Using a custom role gives you full control over the permissions that Image Builder uses. It also keeps your service control policies (SCPs) and resource control policies (RCPs) in effect for operations that Image Builder performs on your behalf. + @@ -64,0 +69,2 @@ Before you create a new distribution configuration for EC2 Fast Launch for Windo +This feature requires additional permissions beyond those in the base execution policy, so you must use a custom role. We recommend that you create a custom role with the [EC2ImageBuilderExecutionPolicy](./security-iam-awsmanpol.html#sec-iam-manpol-EC2ImageBuilderExecutionPolicy) AWS managed policy attached, and then add the EC2FastLaunchFullAccess policy to that role. +