Skip to main content
All CollectionsIntegrations
AWS CodeCommit Connection Details
AWS CodeCommit Connection Details

This article walks through the details of configuring AWS CodeCommit to connect to Drata.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

HERE'S WHY

Connecting AWS CodeCommit to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.

BEFORE DIVING IN

Make sure you have an IAM account that has access to create new roles.

Overview of what we're going to set up

  • Create an IAM Profile for Drata with the required permissions.

  • Create an IAM Role for Drata to use and apply the Policy.

  • Get the new Role ARN to input into Drata.


Create a Policy

  1. Log in to the AWS Console with an account that has access to create a new role.

  2. Go to the IAM service, once there, click on Roles in the sidebar.

  3. Click on 'Policies' link in the sidebar.

  4. Click on the 'Create Policy' button.

  5. Copy the Drata Policy below:

    { "Version": "2012-10-17", 
    "Statement": [ {
    "Effect": "Allow",
    "Action": "ec2:DescribeRegions",
    "Resource": "*"
    }, {
    "Effect": "Allow",
    "Action": [
    "iam:GetAccountAuthorizationDetails",
    "iam:GetRole",
    "iam:GetUser",
    "iam:ListAccountAliases",
    "iam:ListMFADevices",
    "iam:ListUsers",
    "iam:SimulatePrincipalPolicy"
    ],
    "Resource": "*"
    }, {
    "Sid": "NeededUntilWeConsolidateThePolicyChecks",
    "Effect": "Allow",
    "Action": [
    "iam:GetUserPolicy",
    "iam:ListUserPolicies",
    "iam:SimulateCustomPolicy"
    ],
    "Resource": "*"
    }, {
    "Effect": "Allow",
    "Action": [
    "codecommit:EvaluatePullRequestApprovalRules",
    "codecommit:GetApprovalRuleTemplate",
    "codecommit:GetRepository",
    "codecommit:ListAssociatedApprovalRuleTemplatesForRepository",
    "codecommit:ListRepositories"
    ],
    "Resource": "*"
    }]
    }
  6. Click the 'JSON' tab.

  7. Select all of the default policy in the editor and paste over it.

  8. Click the 'Next: Tags' button.

  9. (Optional) If your company uses tags, enter them here.

  10. Click the 'Next: Review' button.

  11. Copy and paste the Drata Policy Name into the 'Name' field exactly as it appears below.

    DrataCodeCommitPolicy
  12. Copy and paste the Drata Policy Description into the 'Description' field.

    Provides read-only access for Drata Code Commit Connection
  13. Click the 'Create policy' button.

Create a new Role

  1. Click on the Create role button, then the Another AWS account button.

  2. Use the following values to fill out the form

Account ID:

269135526815

5. Check the Require external ID checkbox, and enter your Drata account ID into the External ID field.

The value below is just an example... you will get your REAL account ID within the Drata app when connecting AWS.


​External ID:

YOUR-ACCOUNT-ID

(Note: Leave the Require MFA checkbox un-checked)

6. Click the Next: Permissions button.

7. Copy and paste the Drata Policy Name into the search field and press enter.

Read Only Drata Policy Name for CodeCommit:

DrataCodeCommitPolicy

8. Click the Next: Tags button. Optionally add tags if your company uses them.

9. Click the Next: Review button.

10. Copy and paste the fields below into the form, then click the Create role button. Ensure that the value for Role Name is copied exactly as listed below.

Role Name:

DrataCodeCommitRole

Role Description:

Cross-account read-only access for Drata CodeCommit Connection


Get the new Role ARN to input into Drata

  1. Click on the new Role you just created, named DrataCodeCommitRole.

  2. Copy and paste the Role ARN value on AWS into the Role ARN field on Drata.


πŸŽ‰ You have just successfully setup proper read-only access for Drata πŸŽ‰

Did this answer your question?