Security in AWS CodePipeline

Embed encryption, least-privilege roles, and auditability into every stage.

Pipeline architecture & security touchpoints

SourceWebhook secrets, branch policies

BuildSAST, deps scan

TestDAST, IAM least priv

DeployArtifact signing, approvals

ProdDrift detection

Each stage should use its own IAM role (least privilege) and emit audit events.

Artifacts, S3 buckets, and SNS notifications can use customer-managed keys (CMKs) with key policies + IAM.

CodePipeline→kms:Decrypt / GenerateDataKey→Encrypted artifact in S3

Stage	Role intent	Example actions (scoped)
Source	Read repo only	`codecommit:GitPull` or GitHub OIDC subject
Build	Build project	`logs:*` to project log group; `s3:GetObject` on input prefix
Deploy	Target env	`cloudformation:` or `codedeploy:` on approved ARNs

PCI-DSS segmentationSOC 2 change mgmtISO 27001 logging

Map pipeline controls to frameworks your assessors expect.

Separate pipelines per environment with manual approval gates for production
Immutable artifacts; promote the same digest through stages
Mandatory code review + SAST thresholds; break-glass with ticket ID
Secrets from Secrets Manager / SSM Parameter Store; no long-lived keys in buildspec