I'm trying to create an AWS IAM policy to help my team lock down our CodeCommit repositories. The idea is, any repository which needs to be locked down will have an "Owner" tag, the value of which will be he username of the only user who will have privileges to push/merge to main and/or edit the repository as a whole. The policy I've defined so far is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LockMasterProductionBranches",
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master",
"refs/heads/prod"
]
},
"Null": {
"codecommit:References": "false"
},
"StringNotEqualsIgnoreCase": {
"aws:ResourceTag/Owner": "${aws:username}"
}
}
},
{
"Sid": "LockRepo",
"Effect": "Deny",
"Action": [
"codecommit:UpdateDefaultBranch",
"codecommit:CreatePullRequestApprovalRule",
"codecommit:DeletePullRequestApprovalRule",
"codecommit:OverridePullRequestApprovalRules",
"codecommit:UpdatePullRequestApprovalRuleContent",
"codecommit:DeleteRepository",
"codecommit:UpdateRepositoryDescription",
"codecommit:UpdateRepositoryName",
"codecommit:TagResource",
"codecommit:UntagResource",
"codecommit:PutRepositoryTriggers"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIgnoreCase": {
"aws:ResourceTag/Owner": "${aws:username}"
}
}
}
]
}
The issue thus far is that if a repository doesn't have the "Owner" tag, then nobody can edit it.
As such, the question is, how do I need to configure my conditions such that these deny actions only take effect if:
- The "Owner" tag exists
- The user trying to take the action does NOT have the same username as the value of the "Owner" tag
Any help would be greatly appreciated. Many thanks!
