logo
  • Blog
  • The Cloud
  • DevOps
  • Trending
    • Blockchain
    • Bitcoin
  • How To
  • Kubernetes

AWS CodeCommit: Securing The Repository and Branches

Posted on January 5, 2019
Published on: Jan 05, 2019 | Last updated on: Jan 05, 2019 |
Author: Sushil Verma Sushil Verma (Linkedin, Twitter, Git)

 1,732 total views,  14 views today

AWS CodeCommit: Securing The Repository and Branches was last modified: August 8th, 2020 by Sushil Verma
Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email

AWS CodeCommit: Securing The Repository and Branches

Inception: Learn how to Secure AWS CodeCommit Repository branches. You will use IAM policy to restric the direct pushing the code to master branch.

In this article you will how to secure the CodeCommit repository branches. As a best practice repository’s master branch should be restricted to push code direclty into it.

To push any code into master, a developer must open a Pull Request, this PR must be reviewed by some other engineer and then it must be pushed into the master branch

You must know how to create branches (called feature branches as well) in AWS CodeCommit. You must develop a feature in a branch and then merge that feature into the master.

The master branch is the working version of your code, so its a bad practice to push code directly to the master branch. So the best practice is to develop your code into the feature branch, get it tested, open a Pull request, get the code review done after that merge the code into the master branch.

Now lets see how to enforce this best practice, by limiting Pushes and Merges to branches in AWS CodeCommit.

Limit Pushes and Merges in AWS CodeCommit

Following are the steps to limit pushes and merges in AWS CodeCommit.

  • Create a IAM Group called developers, and add all developers within your team.
  • Create an Inline policy with below statements inside developers group.
  • {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "codecommit:GitPush",
                    "codecommit:DeleteBranch",
                    "codecommit:PutFile",
                    "codecommit:MergeBranchesByFastForward",
                    "codecommit:MergeBranchesBySquash",
                    "codecommit:MergeBranchesByThreeWay",
                    "codecommit:MergePullRequestByFastForward",
                    "codecommit:MergePullRequestBySquash",
                    "codecommit:MergePullRequestByThreeWay"
                ],
                "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo",
                "Condition": {
                    "StringEqualsIfExists": {
                        "codecommit:References": [
                            "refs/heads/master"
                         ]
                    },
                    "Null": {
                        "codecommit:References": false
                    }
                }
            }
        ]
    }
    
  • Generic CodeCommit actions like pull, clone, etc are allowed, but GitPush, DeleteBranch, PutFile, etc are not allowed in this policy.
  • Add Users in developers group.
  • Now, these users will not be able to push, delete, put, etc in us-east-2 region, 111111111111 account, reposiroty name MyDemoRepo, and master branch

Test the policy

To test the effects of the policy to ensure that it acts as expected. Follow below steps:

  • Choose an the user you added in developer branch.
  • Make a small change in cloned code locally.
  • Add the code git add .
  • Commit the code locally git commit -m "Testing code policy changes" .
  • Now, try to push the code the master branch git push origin master
  • You must get error like Access denied: You don't have permission to push changes to this branch.
  • ➜  spring-boot-demo git:(master) ✗ git add .
    ➜  spring-boot-demo git:(master) ✗ git commit -m "Changed description"
    [master e1bdea1] Changed description
     1 file changed, 1 insertion(+), 1 deletion(-)
    ➜  spring-boot-demo git:(master) git push origin master
    Enter passphrase for key '/Users/sushiver/.ssh/id_rsa':
    Enumerating objects: 5, done.
    Counting objects: 100% (5/5), done.
    Delta compression using up to 8 threads
    Compressing objects: 100% (3/3), done.
    Writing objects: 100% (3/3), 374 bytes | 374.00 KiB/s, done.
    Total 3 (delta 1), reused 0 (delta 0)
    Access denied: You don't have permission to push changes to this branch.
    To ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo
     ! [remote rejected] master -> master (You don't have permission to push changes to this branch.)
    error: failed to push some refs to 'ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo'
    ➜  spring-boot-demo git:(master)
    

How to push code to the master branch?

As you have blocked direct code pushing to the master branch, hence developer need to a feature branch now and push their code changes to that branch and open a Pull Request against the master brach.

Following are the steps to push you code into the master branch.

  • Create a branch after committing the code locally ➜ spring-boot-demo git:(master) git checkout -b feature-1
  • Push the code to feature-1 as code is already added and committed. ➜ spring-boot-demo git:(feature-1) git push origin feature-1
  • ➜  spring-boot-demo git:(master) git checkout -b feature-1
    Switched to a new branch 'feature-1'
    ➜  spring-boot-demo git:(feature-1) git push origin feature-1
    Warning: Permanently added the RSA host key for IP address '52.119.161.60' to the list of known hosts.
    Enter passphrase for key '/Users/sushiver/.ssh/id_rsa':
    Enumerating objects: 5, done.
    Counting objects: 100% (5/5), done.
    Delta compression using up to 8 threads
    Compressing objects: 100% (3/3), done.
    Writing objects: 100% (3/3), 374 bytes | 374.00 KiB/s, done.
    Total 3 (delta 1), reused 0 (delta 0)
    To ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo
     * [new branch]      feature-1 -> feature-1
    ➜  spring-boot-demo git:(feature-1)
    
  • Now, goto AWS CodeCommit console and then go to spring-boot-demo repository.
  • Click on the Create Pull Request button.
  • Choose master in Destination, feature-1 in the Source, and click on Compare button.
  • You must see Mergeable as green
  • Now enter Title, and Description, and click on Create Pull Request button in the bottom of the page.
  • Share this Pull Request with another developer.
  • Other developer (user2) must open this Pull Request, review the code changes, and then merge the code into the master branch.
Conclusion: Now you can protect your CodeCommit Repository master or any other branch you want. You can create a group of users with different policies on CodeCommit repository.

 1,731 total views,  13 views today

AWS CodeCommit: Securing The Repository and Branches was last modified: August 8th, 2020 by Sushil Verma
Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email
Posted in CodeCommit | Tags: CodeCommit |
« Managing Systemd units in Linux
AWS CodeCommit: Set up Notifications »

Leave a comment Cancel reply

Your email address will not be published.

Latest Blogs

  • Linux: Viewing Log Messages
  • AWS CodeBuild: Getting Started
  • AWS CodeCommit: Set up Notifications
  • AWS CodeCommit: Securing The Repository and Branches
  • Managing Systemd units in Linux

Tags

Amazon EC2 AWS bash_shell bitcoin blockchain Cloud computing CodeCommit DevOps digital currency Kubernetes Linux trending ubuntu

For Improving Education

Categories

  • Amazon EC2
  • Amazon Web Services
  • AWS
  • AWS CodeCommit
  • Bash shell
  • Best Practices
  • Bitcoin
  • Blockchain
  • Chaincode
  • CLI
  • Cloud Computing
  • Cloud Security
  • CodeBuild
  • CodeCommit
  • CryptoCurrency
  • Cryptography
  • DevOps
  • Digital Currency
  • EC2 Lambda
  • Hyperledger
  • IBM Bluemix
  • IBM Garage
  • Kubernetes
  • Linux
  • Monitoring
  • OpenStack
  • Platform as a Service
  • TDD
  • Trending
  • Ubuntu
  • Virtual Server
Home | Site Map | Privacy Policy | Site Terms | Terms of use @2013, Times of Cloud.
The content is copyrighted to 'Times of Cloud' and may not be reproduced on other websites.