Privately access code commit repo

Question

Hi all,

I have a scenario where I want to let the user to only access Code Commit repo privately. So i configured a VPC, VPN, Code Commit VPC Endpoint that are within the private subnet of the VPC, and Code Commit repo.

My plan is to have the user connected to the VPN connection into my VPC only then they can do their work with the Code Commit (git push etc.).

When i tested this setup I am still able to access the repo when i am not connected to the VPN at all.

What is the main problem in my setup? Is it possible to do this?

Accepted Answer

Hello.

Try adding the following policy to the IAM user's policy.  
If you add this, you will not be able to access CodeCommit unless you go through the VPC endpoint.  
```
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "codecommit:*"
          ],
          "Resource": [
              "*"
          ],
          "Condition": {
              "StringEquals": {
                  "aws:sourceVpce": [
                      "VPC EndPoint ID"
                  ]
              }
          }
      }
  ]
}
```

Answer

Apart finding a proper resource policy, you could  use security groups on the vpc interface endpoint and whitelist only IPs you need.

Privately access code commit repo

Conteúdo relevante