0

I set up CodeDeploy with Bitbucket UI. So if I'm sharing my repo with someone he can deploy to the server. And he can also modify appspec.yml file, what means that he could add hooks and run them as root user.

I know that this is unlikely could be happened but I don't want to give root access for all contributors.

Can I prevent hooks from runas: root somehow? Maybe I can add some restrictions for IAM role?

artnikbrothers
  • 305
  • 3
  • 17
  • 1
    1) If you use `CodeCommit` for your git repo and use `CodeDeploy` using `CodePipelines`, then you can add step in pipeline to manual approve before any deployment, not sure about the same in Bitbucket repo and Bitbucket pipelines. – Ankit Sharma Feb 23 '17 at 08:12
  • 1
    2) Another option is to keep a seperate branch for `dev` and add `ignore merge` for file `appspecs.yml`, this will never merge the changes made by dev in `appspecs.yml`. – Ankit Sharma Feb 23 '17 at 08:14

0 Answers0