By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restricting CodeCommit PR merges to non-authors

0

Hello.

Our organization needs to ensure that developers who open a PR into the main branch of a given CodeCommit Repository cannot merge that same PR. How can this be accomplished?

(We already use an approval rule template to ensure that only members of a certain IAM group can approve such PRs, but our SOC Auditor has requested the additional restriction.)

Thanks, – benton

Topics
Developer ToolsSecurity, Identity, & Compliance
Tags
AWS CodeCommitIAM Policies
Language
English
benton
asked 5 months ago176 views
1 Answer
0

Hello,

The recommended approach to accomplish this is with the use of Approval Rule templates where until the conditions of the templates are not satisfied, the PR will not be merged.

There is a feature where you can also override approval rules for a pull request[1], however if the OverridePullRequestApprovalRules API call[2] is denied for an IAM user, the user cannot override the rules.

[1] Override approval rules on a pull request - https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-override-approval-rules.html

[2] OverridePullRequestApprovalRules - https://docs.aws.amazon.com/codecommit/latest/APIReference/API_OverridePullRequestApprovalRules.html

Therefore, suggesting you to limit your developers for the above API call, and use Approval Rule templates for controlling who can merge the pull requests.

Hoping that the above helps. Thank you.

AWS
SUPPORT ENGINEER
AWS-User-arpit
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content