Skip to main content
All CollectionsConnectionsProvider
AWS CodeCommit Connection
AWS CodeCommit Connection

This article walks through the details of configuring AWS CodeCommit to connect to Drata.

Updated over a month ago

Connecting AWS CodeCommit to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.

BEFORE DIVING IN

Make sure you have Admin access to your company's AWS account. Specifically, you'll need the ability to create new roles.

The current instruction set utilizes the default read-only AWS CodeCommit policies required for a connection. In our opinion, these give our connection too much access and we will include instructions here on how to provide the most limited permission set, so the Drata API connection has bare minimum permissions. COMING SOON.

This integration can be affected by AWS exclusion tags, read more and find examples on them here: Exclusion tags within AWS

Connect AWS CodeCommit to Drata

  1. Select Connections on the side navigation menu.

  2. Select the Available connections tab and then search for 'AWS CodeCommit' to select the connect button for the AWS CodeCommit integration.

  3. Within the connection drawer, enter the required information.

Overview of what we're going to set up

  • Create an IAM Profile for Drata with the required permissions.

  • Create an IAM Role for Drata to use and apply the Policy.

  • Get the new Role ARN to input into Drata.


Create a Policy

  1. Log in to the AWS Console with an account that has access to create a new role.

  2. Go to the IAM service, once there, click on Roles in the sidebar.

  3. Click on 'Policies' link in the sidebar.

  4. Click on the 'Create Policy' button.

  5. Copy the Drata Policy below:

    { "Version": "2012-10-17", 
    "Statement": [ {
    "Effect": "Allow",
    "Action": "ec2:DescribeRegions",
    "Resource": "*"
    }, {
    "Effect": "Allow",
    "Action": [
    "iam:GetAccountAuthorizationDetails",
    "iam:GetRole",
    "iam:GetUser",
    "iam:ListAccountAliases",
    "iam:ListMFADevices",
    "iam:ListUsers",
    "iam:SimulatePrincipalPolicy"
    ],
    "Resource": "*"
    }, {
    "Sid": "NeededUntilWeConsolidateThePolicyChecks",
    "Effect": "Allow",
    "Action": [
    "iam:GetUserPolicy",
    "iam:ListUserPolicies",
    "iam:SimulateCustomPolicy"
    ],
    "Resource": "*"
    }, {
    "Effect": "Allow",
    "Action": [
    "codecommit:EvaluatePullRequestApprovalRules",
    "codecommit:GetApprovalRuleTemplate",
    "codecommit:GetRepository",
    "codecommit:ListAssociatedApprovalRuleTemplatesForRepository",
    "codecommit:ListRepositories"
    ],
    "Resource": "*"
    }]
    }
  6. Click the 'JSON' tab.

  7. Select all of the default policy in the editor and paste over it.

  8. Click the 'Next: Tags' button.

  9. (Optional) If your company uses tags, enter them here.

  10. Click the 'Next: Review' button.

  11. Copy and paste the Drata Policy Name into the 'Name' field exactly as it appears below.

    DrataCodeCommitPolicy
  12. Copy and paste the Drata Policy Description into the 'Description' field.

    Provides read-only access for Drata Code Commit Connection
  13. Click the 'Create policy' button.

Create a new Role

  1. Click on the Create role button, then the Another AWS account button.

  2. Use the following values to fill out the form

Account ID:

269135526815

5. Check the Require external ID checkbox, and enter your Drata account ID into the External ID field.

The value below is just an example... you will get your REAL account ID within the Drata app when connecting AWS.


​External ID:

YOUR-ACCOUNT-ID

(Note: Leave the Require MFA checkbox un-checked)

6. Click the Next: Permissions button.

7. Copy and paste the Drata Policy Name into the search field and press enter.

Read Only Drata Policy Name for CodeCommit:

DrataCodeCommitPolicy

8. Click the Next: Tags button. Optionally add tags if your company uses them.

9. Click the Next: Review button.

10. Copy and paste the fields below into the form, then click the Create role button. Ensure that the value for Role Name is copied exactly as listed below.

Role Name:

DrataCodeCommitRole

Role Description:

Cross-account read-only access for Drata CodeCommit Connection


Get the new Role ARN to input into Drata

  1. Click on the new Role you just created, named DrataCodeCommitRole.

  2. Copy and paste the Role ARN value on AWS into the Role ARN field on Drata.


Don't forget the final step of copying and pasting the ARN for the role you just created ("DrataCodeCommitRole") from AWS into the text field on Drata before clicking "Save & Test Connection."

πŸŽ‰ You have just successfully setup proper read-only access for Drata πŸŽ‰

Did this answer your question?