# Data protection in AWS CodeCommit
<a name="data-protection"></a>

As a managed service, is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.

You use AWS published API calls to access through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

CodeCommit repositories are automatically encrypted at rest. No customer action is required. CodeCommit also encrypts repository data in transit. You can use either the HTTPS protocol, the SSH protocol, or both with CodeCommit repositories. For more information, see [Setting up for AWS CodeCommit](setting-up.md). You can also configure [cross-account access](cross-account.md) to CodeCommit repositories.

**Topics**
+ [AWS Key Management Service and encryption for AWS CodeCommit repositories](encryption.md)
+ [Connecting to AWS CodeCommit repositories with rotating credentials](temporary-access.md)

# AWS Key Management Service and encryption for AWS CodeCommit repositories
<a name="encryption"></a>

Data in CodeCommit repositories is encrypted in transit and at rest. When data is pushed into a CodeCommit repository (for example, by calling **git push**), CodeCommit encrypts the received data as it is stored in the repository. When data is pulled from a CodeCommit repository (for example, by calling **git pull**), CodeCommit decrypts the data and then sends it to the caller. This assumes the IAM user associated with the push or pull request has been authenticated by AWS. Data sent or received is transmitted using the HTTPS or SSH encrypted network protocols.

You can use either an AWS managed key or a customer managed key for encrypting and decrypting the data in your repository. For more information about the differences between customer managed keys and AWS managed keys, see [Customer managed keys and AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt). If you don't specify a customer managed key, CodeCommit will use an AWS managed key for encrypting and decrypting the data in your repository. This AWS managed key is created automatically for you in your AWS account. The first time you create a CodeCommit repository in a new AWS Region in your Amazon Web Services account, if you don't specify a customer managed key, CodeCommit creates an AWS managed key (the `aws/codecommit` key) in that same AWS Region in AWS Key Management Service (AWS KMS). This `aws/codecommit` key is used only by CodeCommit. It is stored in your Amazon Web Services account. Depending on what you specify, CodeCommit either uses the customer managed key or the AWS managed key to encrypt and decrypt the data in the repository. 

**Important**  
 CodeCommit performs the following AWS KMS actions against the AWS KMS key used to encrypt and decrypt data in a repository. If you're using an AWS managed key, a user does not need explicit permissions for these actions, but the user must not have any attached policies that deny these actions for the `aws/codecommit` key. If you are using a customer managed key that has an AWS account ID set as a policy principal for that key, these permissions must be explicitly set to `allow`. Specifically, when you create your first repository, and if you update keys for your repository, you must not have any of the following permissions set to `deny` if you are using a AWS managed key, and must be set to `allow` if you are using a customer managed key with a policy principal:  
`"kms:Encrypt"`
`"kms:Decrypt"`
`"kms:ReEncrypt"` (depending on context, this could require `kms:ReEncryptFrom`,   
`kms:ReEncryptTo`, or `kms:ReEncrypt*` not set to deny)
`"kms:GenerateDataKey"`
`"kms:GenerateDataKeyWithoutPlaintext"`
`"kms:DescribeKey"`

If you want to use your own customer managed key, the key must be available in the AWS Region where the repository exists. CodeCommit supports using both single and multi-Region customer managed keys. While all key material origin types are supported, we recommend using the default **KMS** option. Customers using the **External key store ** option might experience delays from their store provider. In addition. CodeCommit has the following requirements for customer managed keys:
+ CodeCommit only supports using symmetric keys.
+ The key usage type must be set to **Encrypt and decrypt**.

For more information on creating customer managed keys, see [Concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) and [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html).

To see information about the AWS managed key generated by CodeCommit, do the following:

1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

1. To change the AWS Region, use the Region selector in the upper-right corner of the page.

1. In the service navigation pane, choose **AWS managed keys**. Make sure that you are signed in to the AWS Region where you want to review keys. 

1. In the list of encryption keys, choose the AWS managed key with the alias **aws/codecommit**. Basic information about the AWS owned key is displayed.

You cannot change or delete this AWS managed key. 

## How encryption algorithms are used to encrypt repository data
<a name="encryption-algorithms"></a>

CodeCommit uses two different approaches for encrypting data. Individual Git objects under 6 MB are encrypted using AES-GCM-256, which provides data integrity validation. Objects between 6 MB and the maximum 2 GB for a single blob are encrypted using AES-CBC-256. CodeCommit always validates the encryption context.

## Encryption context
<a name="encryption-context"></a>

Each service integrated with AWS KMS specifies an encryption context for both the encryption and decryption operations. The encryption context is additional authenticated information AWS KMS uses to check for data integrity. When specified for the encryption operation, it must also be specified in the decryption operation. Otherwise, decryption fails. CodeCommit uses the CodeCommit repository ID for the encryption context. You can use the **get-repository** command or the CodeCommit console to find the repository ID. Search for the CodeCommit repository ID in AWS CloudTrail logs to understand which encryption operations were taken on which key in AWS KMS to encrypt or decrypt data in the CodeCommit repository.

For more information about AWS KMS, see the [AWS Key Management Service Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).

# Connecting to AWS CodeCommit repositories with rotating credentials
<a name="temporary-access"></a>

You can give users access to your AWS CodeCommit repositories without configuring IAM users for them or using an access key and secret key. To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see [ Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. If you use IAM Identity Center, you configure a permission set. To control what your identities can access after they authenticate, IAM Identity Center correlates the permission set to a role in IAM. For information about permissions sets, see [ Permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) in the *AWS IAM Identity Center User Guide*. You can also configure role-based access for IAM users to access CodeCommit repositories in separate Amazon Web Services accounts (a technique known as *cross-account access*). For a walkthrough of configuring cross-account access to a repository, see [Configure cross-account access to an AWS CodeCommit repository using roles](cross-account.md). 

You can configure access for users who want or must authenticate through methods such as:
+ Security Assertion Markup Language (SAML)
+ Multi-factor authentication (MFA)
+ Federation
+ Login with Amazon
+ Amazon Cognito
+ Facebook
+ Google
+ OpenID Connect (OIDC)-compatible identity provider

**Note**  
The following information applies only to the use of **git-remote-codecommit** or the AWS CLI credential helper to connect to CodeCommit repositories. Because the recommended approach for temporary or federated access to CodeCommit is to set up **git-remote-codecommit**, this topic provides examples using that utility. For more information, see [Setup steps for HTTPS connections to AWS CodeCommit with git-remote-codecommit](setting-up-git-remote-codecommit.md).   
You cannot use SSH or Git credentials and HTTPS to connect to CodeCommit repositories with rotating or temporary access credentials. 

You do not need to complete these steps if all of the following requirements are true:
+ You are signed in to an Amazon EC2 instance.
+ You are using Git and HTTPS with the AWS CLI credential helper to connect from the Amazon EC2 instance to CodeCommit repositories.
+ The Amazon EC2 instance has an attached IAM instance profile that contains the access permissions described in [For HTTPS connections on Linux, macOS, or Unix with the AWS CLI credential helper](setting-up-https-unixes.md) or [For HTTPS connections on Windows with the AWS CLI credential helper](setting-up-https-windows.md).
+ You have installed and configured the Git credential helper on the Amazon EC2 instance, as described in [For HTTPS connections on Linux, macOS, or Unix with the AWS CLI credential helper](setting-up-https-unixes.md) or [For HTTPS connections on Windows with the AWS CLI credential helper](setting-up-https-windows.md).

Amazon EC2 instances that meet the preceding requirements are already set up to communicate temporary access credentials to CodeCommit on your behalf.

**Note**  
You can configure and use **git-remote-codecommit** on Amazon EC2 instances.

To give users temporary access to your CodeCommit repositories, complete the following steps.



## Step 1: Complete the prerequisites
<a name="temporary-access-prerequisites"></a>

Complete the setup steps to provide a user with access to your CodeCommit repositories using rotating credentials: 
+ For cross-account access, see [Walkthrough: Delegating Access Across Amazon Web Services accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-walkthrough-crossacct.html) and [Configure cross-account access to an AWS CodeCommit repository using roles](cross-account.md).
+ For SAML and federation, see [ Using Your Organization's Authentication System to Grant Access to AWS Resources](https://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#IdentityBrokerApplication) and [About AWS STS SAML 2.0-based Federation](https://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html).
+ For MFA, see [Using Multi-Factor Authentication (MFA) Devices with AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html) and [Creating Temporary Security Credentials to Enable Access for IAM Users](https://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSessionTokens.html).
+ For Login with Amazon, Amazon Cognito, Facebook, Google, or any OIDC-compatible identity provider, see [About AWS STS Web Identity Federation](https://docs.aws.amazon.com/STS/latest/UsingSTS/web-identity-federation.html).

Use the information in [Authentication and access control for AWS CodeCommit](auth-and-access-control.md) to specify the CodeCommit permissions you want to grant the user.

## Step 2: Get role name or access credentials
<a name="temporary-access-get-credentials"></a>

If you want your users to access repositories by assuming a role, provide your users with the Amazon Resource Name (ARN) of that role. Otherwise, depending on the way you set up access, your user can get rotating credentials in one of the following ways:
+ For cross-account access, call the AWS CLI [assume-role](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) command or call the AWS STS [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API.
+ For SAML, call the AWS CLI [assume-role-with-saml](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html) command or the AWS STS [AssumeRoleWithSAML](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) API.
+ For federation, call the AWS CLI [assume-role](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) or [get-federation-token](https://docs.aws.amazon.com/cli/latest/reference/sts/get-federation-token.html) commands or the AWS STS [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html) APIs.
+ For MFA, call the AWS CLI [get-session-token](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) command or the AWS STS [GetSessionToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html) API.
+ For Login with Amazon, Amazon Cognito, Facebook, Google, or any OIDC-compatible identity provider, call the AWS CLI [assume-role-with-web-identity](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) command or the AWS STS [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) API.



## Step 3: Install git-remote-codecommit and configure the AWS CLI
<a name="temporary-access-configure-credentials"></a>

You must configure your local computer to use the access credentials by installing [https://pypi.org/project/git-remote-codecommit/](https://pypi.org/project/git-remote-codecommit/) and configuring a profile in the AWS CLI.

1. Follow the instructions in [Setting up ](setting-up.md) to set up the AWS CLI. Use the **aws configure** command to configure one or more profiles. Consider creating a named profile to use when you connect to CodeCommit repositories using rotating credentials.

1. You can associate the credentials with the user's AWS CLI named profile in one of the following ways. 
   + If you are assuming a role to access CodeCommit, configure a named profile with the information required to assume that role. For example, if you want to assume a role named *CodeCommitAccess* in the Amazon Web Services account 111111111111, you can configure a default profile to use when working with other AWS resources and a named profile to use when assuming that role. The following commands create a named profile named *CodeAccess* that assumes a role named *CodeCommitAccess*. The user name *Maria\$1Garcia* is associated with the session and the default profile is set as the source of its AWS credentials:

     ```
     aws configure set role_arn arn:aws:iam::111111111111:role/CodeCommitAccess --profile CodeAccess
     aws configure set source_profile default --profile CodeAccess
     aws configure set role_session_name "Maria_Garcia" --profile CodeAccess
     ```

     If you want to verify the changes, manually view or edit the `~/.aws/config` file (for Linux) or the `%UserProfile%.aws\config` file (for Windows) and review the information under the named profile. For example, your file might look similar to the following:

     ```
     [default]
     region = us-east-1
     output = json
     
     [profile CodeAccess]
     source_profile = default
     role_session_name = Maria_Garcia
     role_arn = arn:aws:iam::111111111111:role/CodeCommitAccess
     ```

      After you have configured your named profile, you can then clone CodeCommit repositories with the **git-remote-codecommit** utility using the named profile. For example, to clone a repository named *MyDemoRepo*: 

     ```
     git clone codecommit://CodeAccess@MyDemoRepo
     ```
   + If you are using web identity federation and OpenID Connect (OIDC), configure a named profile that makes the AWS Security Token Service (AWS STS) `AssumeRoleWithWebIdentity` API call on your behalf to refresh temporary credentials. Use the **aws configure set** command or manually edit the `~/.aws/credentials` file (for Linux) or the `%UserProfile%.aws\credentials` file (for Windows) to add an AWS CLI named profile with the required setting values. For example, to create a profile that assumes the *CodeCommitAccess* role and uses a web identity token file \$1/*my-credentials**/my-token-file*:

     ```
     [CodeCommitWebIdentity]
     role_arn = arn:aws:iam::111111111111:role/CodeCommitAccess
     web_identity_token_file=~/my-credentials/my-token-file
     role_session_name = Maria_Garcia
     ```

   For more information, see [Configuring the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) and [Using an IAM Role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html) in the *AWS Command Line Interface User Guide*.

## Step 4: Access the CodeCommit repositories
<a name="temporary-access-use-credentials"></a>

Assuming your user has followed the instructions in [Connect to a repository](how-to-connect.md) to connect to the CodeCommit repositories, the user then uses the extended functionality provided by **git-remote-codecommit** and Git to call **git clone**, **git push**, and **git pull** to clone, push to, and pull from, the CodeCommit repositories to which he or she has access. For example, to clone a repository:

```
git clone codecommit://CodeAccess@MyDemoRepo
```

Git commit, push, and pull commands use regular Git syntax. 

When the user uses the AWS CLI and specifies the AWS CLI named profile associated with the rotating access credentials, results scoped to that profile are returned.