AWS CodeCommit: Securing The Repository and Branches
Inception: Learn how toSecure AWS CodeCommit Repository branches
. You will use IAM policy to restric the direct pushing the code tomaster branch
.
In this article you will how to secure the CodeCommit repository branches. As a best practice repository’s master
branch should be restricted to push code direclty into it.
To push any code into master
, a developer must open a Pull Request, this PR must be reviewed by some other engineer and then it must be pushed into the master branch

You must know how to create branches (called feature branches as well) in AWS CodeCommit. You must develop a feature in a branch and then merge that feature into the master.
The master branch is the working version of your code, so its a bad practice to push code directly to the master branch. So the best practice is to develop your code into the feature branch, get it tested, open a Pull request, get the code review done after that merge the code into the master branch.
Now lets see how to enforce this best practice, by limiting Pushes and Merges to branches in AWS CodeCommit.
Limit Pushes and Merges in AWS CodeCommit
Following are the steps to limit pushes and merges in AWS CodeCommit.
- Create a IAM Group called
developers
, and add all developers within your team. - Create an
Inline policy
with below statements insidedevelopers
group.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay"
],
"Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}
pull
, clone
, etc are allowed, but GitPush, DeleteBranch, PutFile, etc are not allowed in this policy.developers
group.us-east-2
region, 111111111111
account, reposiroty name MyDemoRepo
, and master
branchTest the policy
To test the effects of the policy to ensure that it acts as expected. Follow below steps:
- Choose an the user you added in
developer
branch. - Make a small change in cloned code locally.
- Add the code
git add .
- Commit the code locally
git commit -m "Testing code policy changes" .
- Now, try to push the code the master branch
git push origin master
- You must get error like
Access denied: You don't have permission to push changes to this branch.
➜ spring-boot-demo git:(master) ✗ git add .
➜ spring-boot-demo git:(master) ✗ git commit -m "Changed description"
[master e1bdea1] Changed description
1 file changed, 1 insertion(+), 1 deletion(-)
➜ spring-boot-demo git:(master) git push origin master
Enter passphrase for key '/Users/sushiver/.ssh/id_rsa':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 374 bytes | 374.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0)
Access denied: You don't have permission to push changes to this branch.
To ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo
! [remote rejected] master -> master (You don't have permission to push changes to this branch.)
error: failed to push some refs to 'ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo'
➜ spring-boot-demo git:(master)
How to push code to the master branch?
As you have blocked direct code pushing to the master branch, hence developer need to a feature branch now and push their code changes to that branch and open a Pull Request against the master brach.
Following are the steps to push you code into the master branch.
- Create a branch after committing the code locally
➜ spring-boot-demo git:(master) git checkout -b feature-1
- Push the code to
feature-1
as code is already added and committed.➜ spring-boot-demo git:(feature-1) git push origin feature-1
➜ spring-boot-demo git:(master) git checkout -b feature-1
Switched to a new branch 'feature-1'
➜ spring-boot-demo git:(feature-1) git push origin feature-1
Warning: Permanently added the RSA host key for IP address '52.119.161.60' to the list of known hosts.
Enter passphrase for key '/Users/sushiver/.ssh/id_rsa':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 374 bytes | 374.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0)
To ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo
* [new branch] feature-1 -> feature-1
➜ spring-boot-demo git:(feature-1)
spring-boot-demo
repository.Create Pull Request
button.master
in Destination, feature-1
in the Source, and click on Compare button.Mergeable
as greenConclusion: Now you can protect your CodeCommit Repositorymaster
or any other branch you want. You can create a group of users with different policies on CodeCommit repository.
1,731 total views, 13 views today