Improved Security with AWS CodeCommit

  • April 26, 2016

AWS CodeCommit is a fully managed version control management service offered by Amazon Web Services. It is a highly scalable and fully managed hosted service. It is compatible with Git and hence all of the git commands work with AWS CodeCommit. AWS Codecommit is highly secure in the sense that the data is encrypted both at rest and in transit. The repositories offered under this service are private by default. AWS Codecommit supports both HTTPS and SSH protocols.

AWS CodeCommit is tightly integrated with IAM roles. This makes it very easy to provide fine grained access controls to the repositories. It can be especially helpful if there is a repository to which access needs to be enabled only for a particular set of instances.  One can have the IAM roles configured such that only a certain set of instances have access to it. Thus they need not worry about storing and managing SSH keys. In addition, AWS CodeCommit also supports authentication through SAML and provides support for Multi-Factor Authentication (MFA). AWS CodeCommit makes it easier to securely automate application deployment and configurations. Here is an example IAM policy to provide read-only access to a repo called as MyDemoRepo. To restrict the access to specific repositories the Resource section should specify the ARN of those repositories


 "Version": "2012-10-17",

 "Statement": [


     "Effect": "Allow",

     "Action": [






"Resource": "arn:aws:codecommit:us-east-1:[AccountNumber]:MyDemoRepo"




SSH is the preferred way of automating repository access for most of the other hosted services. Although SSH is very secure, managing/storing SSH keys is a little cumbersome. Especially when the key is being used in automated CI/CD systems. One way to secure the key is to use encryption mechanisms to secure the SSH keys at rest and decrypt it only when it is being used. Using HTTPS protocol requires the use of username and password and even in this case one has to take care that the password is not stored as plaintext.

AWS Codecommit offers a very ingenious way to get around this problem. It makes use of git credential helper to store the username/password to the repositories. Using awscli command one can generate temporary username and password to access the repositories, this makes the connections highly secure. One can generate temporary username/password to access the repository by using the awscli command aws codecommit credential-helper get. This command generates SigV4 compatible username/password based on protocol, host and repository path. The git client on the local machine can be configured to use this command to get credentials.

git config --global credential.helper '!aws --profile CodeCommitProfileName codecommit credential-helper $@'
git config --global credential.UseHttpPath true

Using AWS CodeCommit, one can avoid the hassle to manage and store SSH keys. Also, one can have fine-grained access controls. For example suppose there is repository whose access is restricted only to the production servers then using IAM policies and Roles, one can easily configure those production instances to have access to the repo without requiring any SSH keys. This is helpful especially for storing production specific configuration files that can be accessed only by the production instances.

AWS CodeCommit recently added support for SNS and Lambda. This enables users to create webhooks, send email notifications, and run custom code on repository events.

One can also easily integrate CodeCommit with CI/CD tools like jenkins using this feature. This blog describes how to do that.  

Please contact us to discuss how CodeCommit can fit into your architecture or download our solutions overview.

Did you find this useful?

Interested in getting tips, best practices and commentary delivered regularly? Click the button below to sign up for our blog and set your topic and frequency preferences.


Subscribe to our blog


Related Blog Posts