AWS codecommit documentation change
Summary
Removed 'Customer managed integration policy examples' section and updated example account IDs from 111111111111 to 111122223333. Added JSON section headers and formatting.
Security assessment
The changes primarily involve removing outdated integration examples and standardizing placeholder account IDs. While modifying account IDs improves documentation accuracy, there's no evidence this addresses an active security vulnerability. The removed integration examples were likely deprecated content rather than security fixes.
Diff
diff --git a/codecommit/latest/userguide/customer-managed-policies.md b/codecommit/latest/userguide/customer-managed-policies.md index b63a5030e..acb379e81 100644 --- a//codecommit/latest/userguide/customer-managed-policies.md +++ b//codecommit/latest/userguide/customer-managed-policies.md @@ -5 +5 @@ -Customer managed identity policy examplesCustomer managed integration policy examples +Customer managed identity policy examples @@ -17,2 +16,0 @@ You can create your own custom IAM policies to allow permissions for CodeCommit - * Customer managed integration policy examples - @@ -48,0 +47,6 @@ The following permissions policy uses a wildcard character (`"codecommit:*"`) to +JSON + + +**** + + @@ -81,0 +87,6 @@ The following example allows the specified user to pull from, and push to, the C +JSON + + +**** + + @@ -92 +103 @@ The following example allows the specified user to pull from, and push to, the C - "Resource" : "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo" + "Resource" : "arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo" @@ -102,0 +115,6 @@ You can create a `Deny` policy that denies access to all users who are not withi +JSON + + +**** + + @@ -125,0 +145,6 @@ The following example policy allows the specified user to access a CodeCommit re +JSON + + +**** + + @@ -148 +173 @@ The following example policy allows the specified user to access a CodeCommit re - "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", + "Resource": "arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo", @@ -169,0 +196,6 @@ If you want to create a policy that applies to all branches named _main_ in all +JSON + + +**** + + @@ -199,0 +233,6 @@ The following example policy allows a user to make changes to a branch named mai +JSON + + +**** + + @@ -227,0 +268,6 @@ The following example denies all CodeCommit actions on repositories tagged with +JSON + + +**** + + @@ -298,0 +346,6 @@ This policy example only includes actions for CodeCommit. It does not include ac +JSON + + +**** + + @@ -378,127 +430,0 @@ This policy example only includes actions for CodeCommit. It does not include ac -## Customer managed integration policy examples - -This section provides example customer-managed user policies that grant permissions for integrations between CodeCommit and other AWS services. For specific examples of policies that allow cross-account access to a CodeCommit repository, see [Configure cross-account access to an AWS CodeCommit repository using roles](./cross-account.html). - -###### Note - -All examples use the US West (Oregon) Region (us-west-2) when an AWS Region is required, and contain fictitious account IDs. - -**Examples** - - * Example 1: Create a policy that enables cross-account access to an Amazon SNS topic - - * Example 2: Create an Amazon Simple Notification Service (Amazon SNS) topic policy to allow Amazon CloudWatch Events to publish CodeCommit events to the topic - - * Example 3: Create a policy for AWS Lambda integration with a CodeCommit trigger - - - - -### Example 1: Create a policy that enables cross-account access to an Amazon SNS topic - -You can configure a CodeCommit repository so that code pushes or other events trigger actions, such as sending a notification from Amazon Simple Notification Service (Amazon SNS). If you create the Amazon SNS topic with the same account used to create the CodeCommit repository, you do not need to configure additional IAM policies or permissions. You can create the topic, and then create the trigger for the repository. For more information, see [Create a trigger for an Amazon SNS topic](./how-to-notify-sns.html). - -However, if you want to configure your trigger to use an Amazon SNS topic in another Amazon Web Services account, you must first configure that topic with a policy that allows CodeCommit to publish to that topic. From that other account, open the Amazon SNS console, choose the topic from the list, and for **Other topic actions** , choose **Edit topic policy**. On the **Advanced** tab, modify the policy for the topic to allow CodeCommit to publish to that topic. For example, if the policy is the default policy, you would modify the policy as follows, changing the items in `red italic text` to match the values for your repository, Amazon SNS topic, and account: - - - { - "Version": "2008-10-17", - "Id": "__default_policy_ID", - "Statement": [ - { - "Sid": "__default_statement_ID", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "sns:Subscribe", - "sns:ListSubscriptionsByTopic", - "sns:DeleteTopic", - "sns:GetTopicAttributes", - "sns:Publish", - "sns:RemovePermission", - "sns:AddPermission", "sns:SetTopicAttributes" - ], - "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic", - "Condition": { - "StringEquals": { - "AWS:SourceOwner": "111111111111" - } - } - }, - { - "Sid": "CodeCommit-Policy_ID", - "Effect": "Allow", - "Principal": { - "Service": "codecommit.amazonaws.com" - }, - "Action": "sns:Publish", - "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic", - "Condition": { - "StringEquals": { - "AWS:SourceArn": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", - "AWS:SourceAccount": "111111111111" - } - } - } - ] - } - -### Example 2: Create an Amazon Simple Notification Service (Amazon SNS) topic policy to allow Amazon CloudWatch Events to publish CodeCommit events to the topic - -You can configure CloudWatch Events to publish to an Amazon SNS topic when events occur, including CodeCommit events. To do so, you must make sure that CloudWatch Events has permission to publish events to your Amazon SNS topic by creating a policy for the topic or modifying an existing policy for the topic similar to the following: - - - { - "Version": "2008-10-17", - "Id": "__default_policy_ID", - "Statement": [ - { - "Sid": "__default_statement_ID", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "sns:Publish", - "Resource": "arn:aws:sns:us-east-2:123456789012:MyTopic", - "Condition": { - "StringEquals": { - "AWS:SourceOwner": "123456789012" - } - } - }, - { - "Sid": "Allow_Publish_Events", - "Effect": "Allow", - "Principal": { - "Service": "events.amazonaws.com" - }, - "Action": "sns:Publish", - "Resource": "arn:aws:sns:us-east-2:123456789012:MyTopic" - } - ] - } - -For more information about CodeCommit and CloudWatch Events, see [CloudWatch Events Event Examples From Supported Services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/EventTypes.html#codecommit_event_type). For more information about IAM and policy language, see [Grammar of the IAM JSON Policy Language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html). - -### Example 3: Create a policy for AWS Lambda integration with a CodeCommit trigger - -You can configure a CodeCommit repository so that code pushes or other events trigger actions, such as invoking a function in AWS Lambda. For more information, see [Create a trigger for a Lambda function](./how-to-notify-lambda.html). This information is specific to triggers, and not CloudWatch Events. - -If you want your trigger to run a Lambda function directly (instead of using an Amazon SNS topic to invoke the Lambda function), and you do not configure the trigger in the Lambda console, you must include a statement similar to the following in the function's resource-based policy: - - - { - "Statement":{ - "StatementId":"Id-1", - "Action":"lambda:InvokeFunction", - "Principal":"codecommit.amazonaws.com", - "SourceArn":"arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", - "SourceAccount":"111111111111" - } - } - -When manually configuring a CodeCommit trigger that invokes a Lambda function, you must also use the Lambda [AddPermission](https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html) command to grant permission for CodeCommit to invoke the function. For an example, see the [To allow CodeCommit to run a Lambda function](./how-to-notify-lambda-cc.html#how-to-notify-lambda-create-function-perm) section of [Create a trigger for an existing Lambda function](./how-to-notify-lambda-cc.html). - -For more information about resource policies for Lambda functions, see [AddPermission](https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html) and [The Pull/Push Event Models](https://docs.aws.amazon.com/lambda/latest/dg/intro-invocation-modes.html) in the _AWS Lambda Developer Guide_.