AWS CodeCommit - Securing The Repository and Branches

Inception: Learn how to Secure AWS CodeCommit Repository branches. You will use IAM policy to restric the direct pushing the code to master branch.

In this article you will how to secure the CodeCommit repository branches. As a best practice repository’s master branch should be restricted to push code direclty into it.

To push any code into master, a developer must open a Pull Request, this PR must be reviewed by some other engineer and then it must be pushed into the master branch.

You must know how to create branches (called feature branches as well) in AWS CodeCommit. You must develop a feature in a branch and then merge that feature into the master.

The master branch is the working version of your code, so its a bad practice to push code directly to the master branch. So the best practice is to develop your code into the feature branch, get it tested, open a Pull request, get the code review done after that merge the code into the master branch.

Now lets see how to enforce this best practice, by limiting Pushes and Merges to branches in AWS CodeCommit.

Limit Pushes and Merges in AWS CodeCommit

• Create a IAM Group called developers, and add all developers within your team.
• Create an Inline policy with below statements inside developers group.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "codecommit:GitPush",
                "codecommit:DeleteBranch",
                "codecommit:PutFile",
                "codecommit:MergeBranchesByFastForward",
                "codecommit:MergeBranchesBySquash",
                "codecommit:MergeBranchesByThreeWay",
                "codecommit:MergePullRequestByFastForward",
                "codecommit:MergePullRequestBySquash",
                "codecommit:MergePullRequestByThreeWay"
            ],
            "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo",
            "Condition": {
                "StringEqualsIfExists": {
                    "codecommit:References": [
                        "refs/heads/master"
                     ]
                },
                "Null": {
                    "codecommit:References": false
                }
            }
        }
    ]
}

• Generic CodeCommit actions like pull, clone, etc are allowed, but GitPush, DeleteBranch, PutFile, etc are not allowed in this policy.
• Add Users in developers group.
• Now, these users will not be able to push, delete, put, etc in us-east-2 region, 111111111111 account, reposiroty name MyDemoRepo, and master branch.

Test the policy

To test the effects of the policy to ensure that it acts as expected. Follow below steps:

• Choose an the user you added in developer branch.
• Make a small change in cloned code locally.
• Add the code git add .
• Commit the code locally git commit -m "Testing code policy changes".
• Now, try to push the code the master branch git push origin master.
• You must get error like Access denied: You don't have permission to push changes to this branch.

➜  spring-boot-demo git:(master) ✗ git add .
➜  spring-boot-demo git:(master) ✗ git commit -m "Changed description"
[master e1bdea1] Changed description
 1 file changed, 1 insertion(+), 1 deletion(-)
➜  spring-boot-demo git:(master) git push origin master
Enter passphrase for key '/Users/sushiver/.ssh/id_rsa':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 374 bytes | 374.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0)
Access denied: You don't have permission to push changes to this branch.
To ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo
 ! [remote rejected] master -> master (You don't have permission to push changes to this branch.)
error: failed to push some refs to 'ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo'
➜  spring-boot-demo git:(master)

How to push code to the master branch?

As you have blocked direct code pushing to the master branch, hence developer need to a feature branch now and push their code changes to that branch and open a Pull Request against the master brach.

Following are the steps to push you code into the master branch.

• Create a branch after committing the code locally ➜ spring-boot-demo git:(master) git checkout -b feature-1
• Push the code to feature-1 as code is already added and committed. ➜ spring-boot-demo git:(feature-1) git push origin feature-1

➜  spring-boot-demo git:(master) git checkout -b feature-1
Switched to a new branch 'feature-1'
➜  spring-boot-demo git:(feature-1) git push origin feature-1
Warning: Permanently added the RSA host key for IP address '52.119.161.60' to the list of known hosts.
Enter passphrase for key '/Users/sushiver/.ssh/id_rsa':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 374 bytes | 374.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0)
To ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo
 * [new branch]      feature-1 -> feature-1
➜  spring-boot-demo git:(feature-1)

• Now, goto AWS CodeCommit console and then go to spring-boot-demo repository.
• Click on the Create Pull Request button.
• Choose master in Destination, feature-1 in the Source, and click on Compare button.
• You must see Mergeable as green
• Now enter Title, and Description, and click on Create Pull Request button in the bottom of the page.
• Share this Pull Request with another developer.
• Other developer (user2) must open this Pull Request, review the code changes, and then merge the code into the master branch.

Conclusion: Now you can protect your CodeCommit Repository master or any other branch you want. You can create a group of users with different policies on CodeCommit repository.