AWS Security ChangesHomeSearch

AWS imagebuilder documentation change

Service: imagebuilder · 2026-07-07 · Documentation high

File: imagebuilder/latest/userguide/tutorial-ssm-parameters-recipe.md

Summary

Added IAM role recommendation advising against service-linked roles in favor of custom roles with EC2ImageBuilderExecutionPolicy.

Security assessment

Explicit security guidance promoting least-privilege access by recommending custom IAM roles. Mitigates potential over-permission risks but doesn't reference a specific vulnerability.

Diff

diff --git a/imagebuilder/latest/userguide/tutorial-ssm-parameters-recipe.md b/imagebuilder/latest/userguide/tutorial-ssm-parameters-recipe.md
index 96039479c..8d5e0a6aa 100644
--- a//imagebuilder/latest/userguide/tutorial-ssm-parameters-recipe.md
+++ b//imagebuilder/latest/userguide/tutorial-ssm-parameters-recipe.md
@@ -66,0 +67,4 @@ When you create a pipeline or use the create-image command in the AWS CLI, you c
+###### Important
+
+We recommend that you don't pass the [AWSServiceRoleForImageBuilder](./security-iam-awsmanpol.html#sec-iam-manpol-AWSServiceRoleForImageBuilder) service-linked role as your execution role. Instead, create a custom IAM role and attach the [EC2ImageBuilderExecutionPolicy](./security-iam-awsmanpol.html#sec-iam-manpol-EC2ImageBuilderExecutionPolicy) AWS managed policy. This policy grants the same permissions that Image Builder needs to call AWS services on your behalf. Using a custom role gives you full control over the permissions that Image Builder uses. It also keeps your service control policies (SCPs) and resource control policies (RCPs) in effect for operations that Image Builder performs on your behalf.
+