0

I try to limit possibility to push changes to release branch on CodeCommit repository on AWS. The problem is that release branch has subbranches like releases/3.4.1 or releases/4.1.4 and i want to prevent from push changes to any subbranch. I wrote policy which should do this what i want but it do not work completly.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Deny",
        "Action": [
            "codecommit:GitPush"
        ],
        "Resource": "arn:aws:codecommit:(myRegion):(myAccount):(myReposotory)",
        "Condition": {
            "StringLikeIfExists": {
                "codecommit:References": [
                    "refs/heads/releases/"
                ]
            },
            "Null": {
                "codecommit:References": false
            }
        }
    }
]}

User still has privilege to push changes to releases subbranches. What's wrong with this policy?

Pepesha404
  • 1
  • 1

1 Answers1

0

I'm not sure if this will solve your issue, but I stumbled over your issue while searching for sth else and had the AWS documentation open in parallel and saw that they use a different condition.

Instead of StringLikeIfExists they use StringEqualsIfExists.

Their code snippet adjusted for your case:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "codecommit:GitPush"
            ],
            "Resource": "arn:aws:codecommit:(myRegion):(myAccount):(myReposotory)",
            "Condition": {
                "StringEqualsIfExists": {
                    "codecommit:References": [
                        "refs/heads/releases/"
                     ]
                },
                "Null": {
                    "codecommit:References": "false"
                }
            }
        }
    ]
}

Link to that documentation: https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-conditional-branch.html#how-to-conditional-branch-create-policy

Michael Aicher
  • 629
  • 12
  • 14