AWS CodeCommit – Securing the Repository and Branches
Download as PPTX, PDF0 likes344 views
The document outlines the steps to secure AWS CodeCommit repositories and branches, emphasizing the creation of IAM groups with specific inline policies that restrict actions such as push, delete, and merge. It details how to add users to these groups and prioritize permissions, particularly to prevent junior developers from accessing critical repository functions. Additionally, it includes references to AWS documentation for constructing appropriate deny JSON policies and managing user permissions.
![https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:Merge*"
],
"Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}](https://image.slidesharecdn.com/awscodecommitsecuring-200616061541/85/AWS-CodeCommit-Securing-the-Repository-and-Branches-17-320.jpg)
AWS CodeCommit – Securing the Repository and Branches
- 1. AWS CodeCommit – Securing the Repository and Branches Mr. Subramanyam Tirumani Vemala subramanyam.vemala@capgemini.com
- 2. Securing Repo’s and Branches - CodeCommit: Steps are in detail with the screenshots as below: 1. Create IAM – Group, which has the inline policies to Deny, delete, merge, push, put file etc. 2. Add the user to the secured Group. 3. While creating the Group, attach the inline policy by adding the appropriate JSON. 4. Any user can be added into the multiple groups. 5. Minimum access Group policies will override the Group with maximum access policies. One scenario, where this can be used is, to prevent junior developers to push, merge, delete, add files etc. into the Repo or Branches and securing them.
- 4. Search for IAM service:
- 5. Click on Create New Group:
- 6. Fill-in the details, as per the titles:
- 7. Skip, this Attach Policy – its optional:
- 9. New Group is created:
- 10. Choose the created Group:
- 11. “click here”, to attach inline policy:
- 12. Set Permissions:
- 13. Fill-in the inline policy details:
- 14. Review policy:
- 15. Policy applied to the Group:
- 16. Refer AWS Documentation for Deny JSON, and construct:
- 17. https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:GitPush", "codecommit:DeleteBranch", "codecommit:PutFile", "codecommit:Merge*" ], "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "Condition": { "StringEqualsIfExists": { "codecommit:References": [ "refs/heads/master" ] }, "Null": { "codecommit:References": false } } } ] }
- 18. IAM – Users:
- 19. Click on User, for the details:
- 20. Groups tab – Click on Add user to groups:
- 21. Choose the Group, for which you need to add the User:
- 22. This specific user is a member of two Group’s:
- 24. User’s Permissions tab – Add permissions button:
- 25. User’s – Security credentials tab – Click on Create access key:
- 26. Access key created, download the csv file for details:
- 27. User’s – list of Access Keys:
- 28. Generate Git credentials for AWS CodeCommit:
- 30. Downloaded XLS Git credentials:
- 31. Action's available on a generated HTTPS Git credentials:
- 32. Users – Access Advisor tab:
- 33. List of policies attached to that specific User: