> For the complete documentation index, see [llms.txt](https://docs.sprinto.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sprinto.com/integrations/overview/aws-codecommit-integration.md). # AWS CodeCommit Integration AWS CodeCommit integration allows Sprinto to monitor repositories, pull requests, branches, and IAM user access configurations for compliance automation. By integrating AWS CodeCommit with Sprinto, you can: * Automate repository and access-related evidence collection * Monitor repositories used for change management workflows * Sync IAM user and access information for access reviews * Track pull request approval activity for compliance checks * Reduce manual evidence collection for controls related to code repositories and user access Sprinto connects to AWS CodeCommit using IAM Role authentication. *** ### How AWS CodeCommit Integration Works Sprinto integrates with AWS CodeCommit using IAM Role authentication. The integration works by: 1. Creating an IAM role in AWS 2. Configuring a trust relationship with Sprinto’s AWS account 3. Attaching read-only permissions to the role 4. Using an External ID for secure role assumption 5. Providing the generated Role ARN to Sprinto 6. Selecting the AWS region where repositories are hosted Sprinto uses AWS SDK for JavaScript v3 to securely communicate with AWS APIs. *** #### Sprinto checks for AWS CodeCommit Below are the Sprinto checks available for AWS CodeCommit integration:
Sprinto checkReference procedure
AWS CodeCommit access should be removed for offboarded userHow to fix
AWS CodeCommit user should have MFA enabledHow to fix
Branch Protection rules should be enforced for adminsHow to fix
Peer review should be enforced for code changesHow to fix
### Permissions Required Sprinto requires read-only access to AWS CodeCommit repositories and IAM metadata. #### Recommended IAM Role Policy Sprinto recommends attaching the following AWS managed policy to the IAM role: * `AWSCodeCommitReadOnly` This policy provides the required repository-level permissions needed for CodeCommit integration. #### Alternative: Custom IAM Policy If you prefer granular permissions instead of using the AWS managed policy, ensure the IAM role includes the following API permissions. **Repository Sync Permissions** These permissions are used for repository discovery and change management monitoring.
API PermissionPurpose
codecommit:ListRepositoriesLists repositories in the AWS account
codecommit:BatchGetRepositoriesRetrieves repository metadata
codecommit:ListBranchesLists repository branches
codecommit:ListPullRequestsLists pull requests
codecommit:GetPullRequestRetrieves pull request details
codecommit:GetPullRequestApprovalStatesRetrieves approval information
**User and Access Sync Permissions** These permissions are used to monitor IAM user access.
API PermissionPurpose
iam:ListUsersLists IAM users
iam:ListGroupsForUserRetrieves groups assigned to users
iam:ListAttachedUserPoliciesRetrieves attached IAM policies
iam:ListUserPoliciesRetrieves inline policies
iam:GenerateCredentialReportGenerates AWS credential report
iam:GetCredentialReportRetrieves credential report
*** ### Data Accessed by Sprinto Sprinto accesses read-only repository and IAM metadata. #### Repository Data Sprinto syncs: * Repository name * Repository ID * Description * Default branch * Clone URLs * ARN * Repository creation metadata #### Branch Data Sprinto syncs: * Branch names for each repository #### Pull Request Data Sprinto syncs: * Pull request metadata * Pull request approval status * Pull request state information #### IAM User Data Sprinto syncs: * IAM users * User groups * Attached IAM policies * Console access state * Last login details *** ### Prerequisites Before connecting AWS CodeCommit to Sprinto, ensure that: * You are logged in to the Sprinto Admin portal * You have administrator-level access to AWS Identity and Access Management (IAM) * You have permission to create IAM roles and attach policies * You have access to the AWS account where CodeCommit repositories are hosted * You have access to the AWS region where your CodeCommit repositories exist *** ### Connect AWS CodeCommit in Sprinto To start the integration: 1. Log in to Sprinto. 2. Go to **Settings**. 3. Select **Integrations**. 4. Under the **All** tab, search for **AWS CodeCommit**. 5. Click **Connect** next to AWS CodeCommit.
A drawer opens displaying integration details. #### Review Integration Details The connection drawer provides the following information: **Automate Evidences For** Sprinto displays: * Number of automated controls * Number of automated checks **Permission & Data** Sprinto displays: **Permissions Required** * `read_api` * `read_repository` **Data Used by Sprinto** * Repositories * Repository branches **Additional Information** Sprinto displays access requirements for the integration. After reviewing the details, click **Next**.
### Create IAM Role in AWS Sprinto provides setup instructions to create an IAM role in AWS. #### Create an IAM Role 1. Log in to your AWS Management Console. 2. Go to **IAM**. 3. Navigate to **Roles**. 4. Click **Create role**.
5. Select **Another AWS account**. 6. Under **Specify accounts that can use this role**, enter Sprinto’s AWS account ID. 7. Select **Require external ID**. 8. Paste the External ID provided by Sprinto. 9. Ensure **Require MFA** is not selected.
10. Click **Next**. #### Attach Permissions 1. On the **Attach permissions policies** screen, search for: * `AWSCodeCommitReadOnly` 2. Select the policy. 3. Click **Next**.
#### Configure Role Name 1. On the review screen, enter a role name. Example: sprinto-codecommit-role
2. Click **Create role**. #### Retrieve Role ARN 1. Open the newly created role. 2. Copy the **Role ARN**. 3. Keep the ARN available for the Sprinto setup flow.
### Configure Trust Relationship and External ID Sprinto requires a secure trust relationship to access AWS resources. When creating the IAM role: * Add Sprinto’s AWS Account ID * Add Sprinto’s External ID * Enable third-party access using role assumption * Disable MFA requirement for role assumption This ensures Sprinto can securely assume the role without direct credentials. ### Provide Role ARN in Sprinto Once the IAM role is created: 1. Return to Sprinto. 2. Select **I have the sprinto-codecommit-role ARN** the checkbox 3. Click **Connect AWS CodeCommit**.
A new drawer opens requesting connection details. ### Select AWS Region and Complete Setup 1. Paste the **Role ARN** copied from AWS. 2. Select the **Production AWS Region** where CodeCommit repositories exist. 3. Click **Connect AWS CodeCommit**.
Sprinto validates the IAM role and establishes the connection. Once successful, AWS CodeCommit appears as an active integration. *** ### Synced Data After integration, Sprinto syncs the following information.
CategorySynced Data
RepositoriesRepository metadata, clone URLs, branch configuration
Pull RequestsPull request state and approvals
IAM AccessUsers, groups, policies, login state
BranchesRepository branch information
*** ### Post Connection Flow After AWS CodeCommit is connected: #### Repository Discovery Sprinto discovers repositories available in the selected AWS region. #### Access Review Monitoring Sprinto retrieves IAM users and policies associated with repository access. #### Change Management Evidence Sprinto uses repository and pull request data to support change management controls. #### Automated Checks Sprinto continuously validates configured checks related to: * Repository configuration * Pull request approvals * IAM access hygiene * Change management evidence #### Ongoing Synchronisation Sprinto periodically refreshes repository and IAM metadata to maintain compliance evidence. ### Limitations and Considerations AWS CodeCommit provides limited pull request metadata compared to GitHub or GitLab. #### Known Limitations * Basic approval tracking only * No branch protection rules API * Limited pull request event history * Reduced metadata availability compared to modern repository platforms #### Recommendation Sprinto recommends using a ticketing integration alongside AWS CodeCommit for stronger change management evidence collection. *** ### Troubleshooting #### Unable to Connect AWS CodeCommit Ensure: * The Role ARN is correct * The AWS region selected contains CodeCommit repositories. * The IAM role trust relationship includes Sprinto’s AWS account. * The External ID matches the value provided in Sprinto. * The IAM role contains required permissions. #### Sprinto Cannot Access Repositories Ensure: * The `AWSCodeCommitReadOnly` policy is attached. * The AWS account contains accessible CodeCommit repositories. * The role assumption configuration is correct. #### Role ARN Validation Fails Ensure: * The ARN is copied from the IAM role details page. * No additional spaces or invalid characters are present. * The IAM role exists in the selected AWS account. *** ### Support Contact [Sprinto support](mailto:www.support@sprinto.com) if you have any queries regarding the integration or need any assistance. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sprinto.com/integrations/overview/aws-codecommit-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.