The AWS CodeCommit integration enables DevOps, Security, and Compliance teams to automate continuous monitoring and evidence collection for infrastructure-related security controls required for compliance.

It connects Drata to your AWS environment to collect configuration and access data from CodeCommit, ensuring visibility into your development environment.

Key Capabilities

Automated Evidence Collection: Continuously monitors and collects CodeCommit-related compliance evidence.
IAM Role Integration: Uses a secure AWS IAM role with least-privilege access for compliance monitoring.

Prerequisites & Data Access

Must have Admin access to your company’s AWS account.
Must have permission to create IAM roles and policies.
Must be able to connect using a custom IAM policy to limit access to only the required AWS services.
Ensure your AWS environment is not affected by exclusion tags that could prevent data collection (see Exclusion tags within AWS).

Permissions & Data Table

Permission/Scope	Why It’s Needed	Data Accessed (Read Only)
ec2:DescribeRegions	Identifies AWS regions for environment mapping.	Region configuration data
iam:GetAccountAuthorizationDetails, iam:GetRole, iam:GetUser, iam:ListAccountAliases, iam:ListMFADevices, iam:ListUsers, iam:SimulatePrincipalPolicy	Enables Drata to retrieve IAM user, role, and account details for compliance validation.	IAM account and user data
iam:GetUserPolicy, iam:ListUserPolicies, iam:SimulateCustomPolicy	Supports policy simulation and user access verification.	IAM policy data
codecommit:EvaluatePullRequestApprovalRules, codecommit:GetApprovalRuleTemplate, codecommit:GetRepository, codecommit:ListAssociatedApprovalRuleTemplatesForRepository, codecommit:ListRepositories	Grants Drata read-only access to CodeCommit repositories for continuous monitoring.	CodeCommit repository and configuration data

Step-by-Step Setup

Create a Policy in AWS: Define a custom least-privilege policy (DrataCodeCommitPolicy) with the required permissions.
Create a New IAM Role: Create a cross-account IAM role (DrataCodeCommitRole) and attach the policy.
Get the Role ARN: Copy the Role ARN and enter it in Drata to complete the connection.

Step 1: Create a Policy in AWS

Log in to the AWS Console with an account that has access to create a new role.
Go to the IAM service and select Policies from the sidebar.
Click Create Policy.
Select the JSON tab.

Replace the default policy text with the following Drata policy:

{ "Version": "2012-10-17", 
  "Statement": [ { 
      "Effect": "Allow", 
      "Action": "ec2:DescribeRegions", 
      "Resource": "*" 
  }, { 
      "Effect": "Allow", 
      "Action": [ 
        "iam:GetAccountAuthorizationDetails",
        "iam:GetRole", 
        "iam:GetUser", 
        "iam:ListAccountAliases", 
        "iam:ListMFADevices", 
        "iam:ListUsers", 
        "iam:SimulatePrincipalPolicy" 
     ], 
     "Resource": "*" 
 }, { 
      "Sid": "NeededUntilWeConsolidateThePolicyChecks", 
      "Effect": "Allow", 
      "Action": [ 
        "iam:GetUserPolicy", 
        "iam:ListUserPolicies", 
        "iam:SimulateCustomPolicy" 
     ],
     "Resource": "*" 
  }, {
	"Effect": "Allow",
	"Action": [
          "codecommit:EvaluatePullRequestApprovalRules",
          "codecommit:GetApprovalRuleTemplate",
          "codecommit:GetRepository",
          "codecommit:ListAssociatedApprovalRuleTemplatesForRepository",
          "codecommit:ListRepositories"
	],
	"Resource": "*"
}] 
}

Click Next: Tags (optional — add tags if used in your organization).
Click Next: Review.
Enter the following details:
- Name: DrataCodeCommitPolicy
- Description: Provides read-only access for Drata CodeCommit Connection
Click Create Policy.

Expected outcome: You have created the DrataCodeCommitPolicy with the minimum required permissions for Drata.

Step 2: Create a New IAM Role

In the IAM service, click Roles, then Create role.
Select Another AWS account.
In the Account ID field, enter:
```
269135526815
```
Check Require external ID, and enter your Drata Account ID.
- Example: YOUR-ACCOUNT-ID (you’ll find this in the Drata app during connection).
Leave Require MFA unchecked.
Click Next: Permissions.
Search for and select the policy you created:
- DrataCodeCommitPolicy
Click Next: Tags (optional).
Click Next: Review.
Enter the following details:
- Role Name: DrataCodeCommitRole
- Description: Cross-account read-only access for Drata CodeCommit Connection
Click Create role.

Expected outcome: You now have a cross-account IAM role (DrataCodeCommitRole) for Drata with the correct read-only permissions.

Step 3: Get the Role ARN

After creating the role, click on DrataCodeCommitRole.
Copy the Role ARN value.
You will use this ARN to connect the integration in Drata.

Step 4: Connect Inside Drata

In Drata, navigate to Connections → Available Connections.
Search for AWS CodeCommit and select Connect.
In the connection drawer, enter the following:

Drata Field	AWS Value
Role ARN	The ARN for your new IAM Role (`DrataCodeCommitRole`)

Click Save & Test Connection to complete setup.

Expected outcome: You should now see a successful connection confirmation message in Drata.

Step 5: Validate Connection / Test

Confirm that the connection is active in Drata’s Connections page.
If errors occur, verify that:
- The IAM role includes the correct external ID and attached policy.
- No AWS exclusion tags are blocking access.
- The DrataCodeCommitPolicy is properly assigned.

Expected outcome: Drata is connected to AWS CodeCommit and performing read-only monitoring.

🎉 You have just successfully setup proper read-only access for Drata 🎉

AWS Integration Guide (Infrastructure, User Access Review)

JumpCloud Integration Guide (MDM)

AWS Inspector (Amazon) Connection

AWS GovCloud Integration Guide

AWS Organizational Units Integration Guide

AWS CodeCommit Integration Guide