CodePipeline: orchestrating delivery

Stages, actions, artifacts, approvals, secure roles.

Beginner30 min · lesson 1 of 15

AWS DevOps begins with automated delivery, and CodePipeline is the orchestration service that models a release as a sequence of stages. Understanding how it chains source, build, test, and deploy is the foundation for everything else.

Stages, actions, and artifacts

A pipeline is an ordered set of stages, each containing actions — source (pull from CodeCommit, GitHub, or S3), build (CodeBuild), test, deploy (CodeDeploy, CloudFormation, ECS), and approvals. Artifacts flow between stages through an S3 artifact bucket: a build produces an artifact that the deploy stage consumes. You can add a manual approval action to gate promotion to production, and parallel actions to run independent steps together. The pipeline reacts automatically to source changes, so a commit flows through build, test, and deploy without manual steps — the core of continuous delivery on AWS.

a pipeline as stages and actions
Source → pull code (CodeCommit / GitHub / S3) → artifact
Build → CodeBuild (compile, unit test, package) → artifact
Test → integration tests / security scans (fail = stop)
Approve → manual approval gate before prod
Deploy → CodeDeploy / CloudFormation / ECS
# Artifacts pass between stages via an S3 bucket; the pipeline runs on every
# source change, automatically.

Least privilege and security in the pipeline

The pipeline is powerful — it can deploy to production — so secure it accordingly. Give CodePipeline and CodeBuild scoped IAM roles with only the permissions each stage needs, never long-lived keys, and for external CI use OIDC federation instead of stored credentials. Integrate security scanning (SAST, dependency, and image scans) as pipeline stages that can fail the build, shifting security left so vulnerabilities are caught before deploy. Store configuration and secrets in Parameter Store or Secrets Manager and fetch them at build/deploy time via the role, not baked into artifacts. A well-designed pipeline is both fast and a security control.

The delivery pipeline
1source change
commit triggers the pipeline
2build + test + scan
CodeBuild; fail-fast on issues
3approval gate
controlled promotion to prod
4deploy
CodeDeploy / CloudFormation / ECS
A commit flows automatically through build, test, and deploy. Scoped roles and in-pipeline scanning make it a control, not just automation.
A pipeline with broad IAM is a production backdoor
A CodePipeline or CodeBuild role with wildcard permissions means a compromised build step can do anything in the account. Scope each stage’s role to exactly what it needs, use OIDC for external CI instead of stored keys, and treat the pipeline’s permissions as production-critical.