Ctrlk
Sprinto DashboardAPI Reference
For the complete documentation index, see llms.txt. This page is also available as Markdown.

AWS CodeCommit Integration

Learn how to connect AWS CodeCommit with Sprinto to automate repository monitoring, access reviews, and evidence collection using an IAM role and AWS CodeCommit read-only permissions.

AWS CodeCommit integration allows Sprinto to monitor repositories, pull requests, branches, and IAM user access configurations for compliance automation.

By integrating AWS CodeCommit with Sprinto, you can:

  • Automate repository and access-related evidence collection

  • Monitor repositories used for change management workflows

  • Sync IAM user and access information for access reviews

  • Track pull request approval activity for compliance checks

  • Reduce manual evidence collection for controls related to code repositories and user access

Sprinto connects to AWS CodeCommit using IAM Role authentication.

How AWS CodeCommit Integration Works

Sprinto integrates with AWS CodeCommit using IAM Role authentication.

The integration works by:

  1. Creating an IAM role in AWS

  2. Configuring a trust relationship with Sprinto’s AWS account

  3. Attaching read-only permissions to the role

  4. Using an External ID for secure role assumption

  5. Providing the generated Role ARN to Sprinto

  6. Selecting the AWS region where repositories are hosted

Sprinto uses AWS SDK for JavaScript v3 to securely communicate with AWS APIs.

Sprinto checks for AWS CodeCommit

Below are the Sprinto checks available for AWS CodeCommit integration:

Sprinto check
Reference procedure

AWS CodeCommit access should be removed for offboarded user

How to fix

AWS CodeCommit user should have MFA enabled

How to fix

Branch Protection rules should be enforced for admins

How to fix

Peer review should be enforced for code changes

How to fix

Permissions Required

Sprinto requires read-only access to AWS CodeCommit repositories and IAM metadata.

Recommended IAM Role Policy

Sprinto recommends attaching the following AWS managed policy to the IAM role:

  • AWSCodeCommitReadOnly

This policy provides the required repository-level permissions needed for CodeCommit integration.

Alternative: Custom IAM Policy

If you prefer granular permissions instead of using the AWS managed policy, ensure the IAM role includes the following API permissions.

Repository Sync Permissions

These permissions are used for repository discovery and change management monitoring.

API Permission
Purpose

codecommit:ListRepositories

Lists repositories in the AWS account

codecommit:BatchGetRepositories

Retrieves repository metadata

codecommit:ListBranches

Lists repository branches

codecommit:ListPullRequests

Lists pull requests

codecommit:GetPullRequest

Retrieves pull request details

codecommit:GetPullRequestApprovalStates

Retrieves approval information

User and Access Sync Permissions

These permissions are used to monitor IAM user access.

API Permission
Purpose

iam:ListUsers

Lists IAM users

iam:ListGroupsForUser

Retrieves groups assigned to users

iam:ListAttachedUserPolicies

Retrieves attached IAM policies

iam:ListUserPolicies

Retrieves inline policies

iam:GenerateCredentialReport

Generates AWS credential report

iam:GetCredentialReport

Retrieves credential report

Data Accessed by Sprinto

Sprinto accesses read-only repository and IAM metadata.

Repository Data

Sprinto syncs:

  • Repository name

  • Repository ID

  • Description

  • Default branch

  • Clone URLs

  • ARN

  • Repository creation metadata

Branch Data

Sprinto syncs:

  • Branch names for each repository

Pull Request Data

Sprinto syncs:

  • Pull request metadata

  • Pull request approval status

  • Pull request state information

IAM User Data

Sprinto syncs:

  • IAM users

  • User groups

  • Attached IAM policies

  • Console access state

  • Last login details

Prerequisites

Before connecting AWS CodeCommit to Sprinto, ensure that:

  • You are logged in to the Sprinto Admin portal

  • You have administrator-level access to AWS Identity and Access Management (IAM)

  • You have permission to create IAM roles and attach policies

  • You have access to the AWS account where CodeCommit repositories are hosted

  • You have access to the AWS region where your CodeCommit repositories exist

Connect AWS CodeCommit in Sprinto

To start the integration:

  1. Log in to Sprinto.

  2. Go to Settings.

  3. Select Integrations.

  4. Under the All tab, search for AWS CodeCommit.

  5. Click Connect next to AWS CodeCommit.

A drawer opens displaying integration details.

Review Integration Details

The connection drawer provides the following information:

Automate Evidences For

Sprinto displays:

  • Number of automated controls

  • Number of automated checks

Permission & Data

Sprinto displays:

Permissions Required

  • read_api

  • read_repository

Data Used by Sprinto

  • Repositories

  • Repository branches

Additional Information

Sprinto displays access requirements for the integration.

After reviewing the details, click Next.

Create IAM Role in AWS

Sprinto provides setup instructions to create an IAM role in AWS.

Create an IAM Role

  1. Log in to your AWS Management Console.

  2. Go to IAM.

  3. Navigate to Roles.

  4. Click Create role.

  1. Select Another AWS account.

  2. Under Specify accounts that can use this role, enter Sprinto’s AWS account ID.

  3. Select Require external ID.

  4. Paste the External ID provided by Sprinto.

  5. Ensure Require MFA is not selected.

  1. Click Next.

Attach Permissions

  1. On the Attach permissions policies screen, search for:

    • AWSCodeCommitReadOnly

  2. Select the policy.

  3. Click Next.

Configure Role Name

  1. On the review screen, enter a role name.

Example:

sprinto-codecommit-role

  1. Click Create role.

Retrieve Role ARN

  1. Open the newly created role.

  2. Copy the Role ARN.

  3. Keep the ARN available for the Sprinto setup flow.

Configure Trust Relationship and External ID

Sprinto requires a secure trust relationship to access AWS resources.

When creating the IAM role:

  • Add Sprinto’s AWS Account ID

  • Add Sprinto’s External ID

  • Enable third-party access using role assumption

  • Disable MFA requirement for role assumption

This ensures Sprinto can securely assume the role without direct credentials.

Provide Role ARN in Sprinto

Once the IAM role is created:

  1. Return to Sprinto.

  2. Select I have the sprinto-codecommit-role ARN the checkbox

  3. Click Connect AWS CodeCommit.

A new drawer opens requesting connection details.

Select AWS Region and Complete Setup

  1. Paste the Role ARN copied from AWS.

  2. Select the Production AWS Region where CodeCommit repositories exist.

  3. Click Connect AWS CodeCommit.

Sprinto validates the IAM role and establishes the connection.

Once successful, AWS CodeCommit appears as an active integration.

Synced Data

After integration, Sprinto syncs the following information.

Category
Synced Data

Repositories

Repository metadata, clone URLs, branch configuration

Pull Requests

Pull request state and approvals

IAM Access

Users, groups, policies, login state

Branches

Repository branch information

Post Connection Flow

After AWS CodeCommit is connected:

Repository Discovery

Sprinto discovers repositories available in the selected AWS region.

Access Review Monitoring

Sprinto retrieves IAM users and policies associated with repository access.

Change Management Evidence

Sprinto uses repository and pull request data to support change management controls.

Automated Checks

Sprinto continuously validates configured checks related to:

  • Repository configuration

  • Pull request approvals

  • IAM access hygiene

  • Change management evidence

Ongoing Synchronisation

Sprinto periodically refreshes repository and IAM metadata to maintain compliance evidence.

Limitations and Considerations

AWS CodeCommit provides limited pull request metadata compared to GitHub or GitLab.

Known Limitations

  • Basic approval tracking only

  • No branch protection rules API

  • Limited pull request event history

  • Reduced metadata availability compared to modern repository platforms

Recommendation

Sprinto recommends using a ticketing integration alongside AWS CodeCommit for stronger change management evidence collection.

Troubleshooting

Unable to Connect AWS CodeCommit

Ensure:

  • The Role ARN is correct

  • The AWS region selected contains CodeCommit repositories.

  • The IAM role trust relationship includes Sprinto’s AWS account.

  • The External ID matches the value provided in Sprinto.

  • The IAM role contains required permissions.

Sprinto Cannot Access Repositories

Ensure:

  • The AWSCodeCommitReadOnly policy is attached.

  • The AWS account contains accessible CodeCommit repositories.

  • The role assumption configuration is correct.

Role ARN Validation Fails

Ensure:

  • The ARN is copied from the IAM role details page.

  • No additional spaces or invalid characters are present.

  • The IAM role exists in the selected AWS account.

Support

Contact Sprinto support if you have any queries regarding the integration or need any assistance.

PreviousAtera IntegrationNextAWS GovCloud Integration

Last updated