AWS imagebuilder documentation change
Summary
Updated permissions guidance to recommend using custom IAM roles instead of the service-linked role, added security best practices section
Security assessment
The change emphasizes replacing the service-linked role with custom IAM roles for better permission control and policy enforcement, improving security posture through least privilege principles without addressing a specific vulnerability.
Diff
diff --git a/imagebuilder/latest/userguide/manage-image-workflows.md b/imagebuilder/latest/userguide/manage-image-workflows.md index 2bf6e6473..0f53e3e15 100644 --- a//imagebuilder/latest/userguide/manage-image-workflows.md +++ b//imagebuilder/latest/userguide/manage-image-workflows.md @@ -66 +66 @@ After this stage completes successfully, Image Builder creates a snapshot or con -To run image workflows, Image Builder needs permission to perform workflow actions. You can specify the [AWSServiceRoleForImageBuilder](./security-iam-awsmanpol.html#sec-iam-manpol-AWSServiceRoleForImageBuilder) service-linked role, or you can specify your own custom role for service access, as follows. +To run image workflows, Image Builder needs permission to perform workflow actions. You grant this permission with an execution role that Image Builder assumes on your behalf. You assign the execution role as follows. @@ -68 +68 @@ To run image workflows, Image Builder needs permission to perform workflow actio - * **Console** – In the pipeline wizard **Step 3 Define image creation process** , select the service-linked role or your own custom role from the **IAM role** list in the **Service access** panel. +###### Important @@ -70 +70 @@ To run image workflows, Image Builder needs permission to perform workflow actio - * **Image Builder API** – In the [CreateImage](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_CreateImage.html) action request, specify the service-linked role or your own custom role as the value for the `executionRole` parameter. +We recommend that you don't pass the [AWSServiceRoleForImageBuilder](./security-iam-awsmanpol.html#sec-iam-manpol-AWSServiceRoleForImageBuilder) service-linked role as your execution role. Instead, create a custom IAM role and attach the [EC2ImageBuilderExecutionPolicy](./security-iam-awsmanpol.html#sec-iam-manpol-EC2ImageBuilderExecutionPolicy) AWS managed policy. This policy grants the same permissions that Image Builder needs to call AWS services on your behalf. Using a custom role gives you full control over the permissions that Image Builder uses. It also keeps your service control policies (SCPs) and resource control policies (RCPs) in effect for operations that Image Builder performs on your behalf. @@ -71,0 +72 @@ To run image workflows, Image Builder needs permission to perform workflow actio + * **Console** – In the pipeline wizard **Step 3 Define image creation process** , select your custom role from the **IAM role** list in the **Service access** panel. @@ -72,0 +74 @@ To run image workflows, Image Builder needs permission to perform workflow actio + * **Image Builder API** – In the [CreateImage](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_CreateImage.html) action request, specify your custom role as the value for the `executionRole` parameter. @@ -75 +77,3 @@ To run image workflows, Image Builder needs permission to perform workflow actio -To learn more about how to create a service role, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the _AWS Identity and Access Management User Guide_. + + +To create a custom execution role, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the _AWS Identity and Access Management User Guide_.