# AWS CodeCommit Integrate AWS CodeCommit—Amazon Web Services’ fully-managed Git-based source control—into OX Security. This connector enables scanning and monitoring of CodeCommit repositories to uncover vulnerabilities, secrets, misconfigurations, and open‑source compliance issues across your codebase. ## Why Connect CodeCommit to OX Security Connecting OX to AWS CodeCommit gives you: * Continuous visibility into code changes across repositories hosted in AWS. * Seamless integration with the AWS identity and access ecosystem (IAM, federated roles, IAM Identity Center). * Ability to map findings back to commits and pull requests for actionable remediation. * Secure, private Git hosting fully managed by AWS under the shared-responsibility model. ## Connection Methods and Security Considerations ### IAM Role or User Credentials (Recommended) Security Considerations: * Uses AWS IAM roles or users with least-privileged policies. * Supports federated access (via IAM Identity Center or external IdP) with temporary credentials. * Avoids long-lived credentials and raw AWS keys whenever possible. Setup Steps: 1. Open the AWS CodeCommit connector in the OX UI. 2. Select role-based authentication by providing: * an IAM Role ARN assumable by OX, or * IAM User access key and secret. 3. Ensure AWS credentials have CodeCommit permissions such as `list`, `get`, `git-clone`, etc. 4. Allow network access from OX (or OX Broker) to AWS endpoints. ### Personal Credentials / Git HTTPS (Optional) Security Considerations: * Generates IAM-based Git credentials or uses credential helper. * Risk arises if credentials are not rotated or are broadly scoped. * Requires secure storage and scope restriction. Setup Steps: 1. Use IAM to generate HTTPS Git credentials or configure AWS CLI credential helper. 2. Provide these credentials in the connector configuration. 3. OX will use them for Git pull and clone operations to access repository contents. ## Repository Discovery and Scanning Scope After authentication: * OX auto-discovers all CodeCommit repositories across linked AWS account(s). * You may select which repositories to monitor and scan. * You can enable automatic inclusion of newly created repositories. * Use the connector gear icon to manage repository scope in the UI. ## Recommended Best Practices * Prefer IAM roles or federated access over static credentials for better credential hygiene. * Grant least-privilege permissions using managed policies such as `AWSCodeCommitReadOnly` or `PowerUser`. * Support cross-account access via IAM roles and trust policies where applicable. * For credential-based access, use the AWS CLI credential helper or `git-remote-codecommit` to manage rotating credentials securely. * Regularly audit policies and rotation of IAM credentials. * Ensure OX’s IPs are allowed through AWS security configurations (e.g., VPC, firewall). ## Summary Table | Method | Credential Risk | Least Privileged | Setup Complexity | | --------------------------- | --------------- | ---------------- | ----------------------- | | IAM Role/User (via IAM) | Low | Yes | Recommended | | HTTPS Git credentials (IAM) | Medium to High | Depends | Manual credential setup | ## Security Posture Impact By securely integrating AWS CodeCommit with OX: * You extend OX’s scanning capabilities into AWS-managed code repositories using AWS access controls. * OX ingests code, metadata, and commit history to perform SCA, SAST, secrets scanning, IaC analysis, and policy enforcement. * Configured properly, this setup maintains enterprise-level identity controls and minimizes credential exposure while enabling deep security visibility across your software supply chain. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ox.security/get-started/onboarding-to-ox/source-control/aws-codecommit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.