Amazon CodeCatalyst is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see [How to migrate from CodeCatalyst](migration.md).
# Security in Amazon CodeCatalyst
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive spaces.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security of the cloud and security in the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to CodeCatalyst, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS services that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations
This documentation helps you understand how to apply the shared responsibility model when using Amazon CodeCatalyst. It shows you how to configure CodeCatalyst to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your CodeCatalyst resources.
**Topics**
+ [Data privacy](data-privacy.md)
+ [Data protection](data-protection.md)
+ [CodeCatalyst and Identity and Access Management](security-iam.md)
+ [Compliance validation](compliance-validation.md)
+ [Resilience](disaster-recovery-resiliency.md)
+ [Infrastructure Security](infrastructure-security.md)
+ [Configuration and vulnerability analysis](vulnerability-analysis-and-management.md)
+ [Your data and privacy in Amazon CodeCatalyst](your-data-privacy.md)
+ [Best practices for workflow actions](security-best-practices-for-actions.md)
+ [Understanding the CodeCatalyst trust model](trust-model.md)
# Data privacy in Amazon CodeCatalyst
CodeCatalyst collects aggregate information in IAM Identity Center. CodeCatalyst uses this aggregate data to provide access to spaces and projects in CodeCatalyst. The following aggregate information is collected:
+ User's full name
+ User's email
+ User's user name
CodeCatalyst data is automatically encrypted at rest. No customer action is required. When a user, identity center, or space is deleted, CodeCatalyst deletes customer data within 24 hours.
CodeCatalyst uses AWS-owned AWS KMS keys. CodeCatalyst does not support encryption at rest using customer managed KMS keys for the identity attributes retrieved from IAM Identity Center.
For more information about AWS KMS keys, see the user documentation at [AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html).
# Data protection in Amazon CodeCatalyst
Security and Compliance is a shared responsibility between Amazon CodeCatalyst and the customer, just as the AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to your use of AWS resources used in a workflow. As described in this model, CodeCatalyst is responsible for protecting the global infrastructure for the service. You are responsible for maintaining control over your content that is hosted on this infrastructure. This shared responsibility model applies to data protection in CodeCatalyst.
For data protection purposes, we recommend that you protect your account credentials, and that you set up multi-factor authentication when signing in. For more information, see [Configure your AWS Builder ID to sign in with multi-factor authentication (MFA)](mfa.md).
Do not enter confidential or sensitive information, such as your customers' email addresses, in tags or free-form fields such as a **Name **field. This includes resource names and any other identifiers you enter in CodeCatalyst in addition to any connected AWS accounts. For example, do not enter confidential or sensistive information as part of space, project, or deployment fleet names. Any data that you enter in tags, names, or free-form fields used for names might be used for billing or diagnostic logs or could be included in URL paths. This applies to using the console, API, AWS CLI, the CodeCatalyst Action Development Kit, or any AWS SDKs.
If you provide a URL to an external server, we strongly recommend that you do not include any security credentials information in the URL to validate your request to that server.
CodeCatalyst source repositories are automatically encrypted at rest. No customer action is required. CodeCatalyst also encrypts repository data in transit using the HTTPS protocol.
CodeCatalyst does not support encryption at rest using customer managed KMS keys for the identity attributes retrieved from IAM Identity Center.
CodeCatalyst supports MFA. For more information, see [Configure your AWS Builder ID to sign in with multi-factor authentication (MFA)](mfa.md).
## Data encryption
CodeCatalyst securely stores and transfers data within the service. All data is encrypted in transit and at rest. Any data created or stored by the service, including any metadata for the service, is stored natively in the service and encrypted.
**Note**
While information about issues is stored securely within the service, information about open issues is also stored in the local cache of the browser where you viewed issue boards, backlogs, and individual issues. For optimal security, be sure to clear your browser cache to remove this information.
If you use resources linked to CodeCatalyst, such as an account connection to an AWS account or a linked repository in GitHub, data in transit from CodeCatalyst to that linked resource is encrypted, but the data handling in that linked resource is managed by that linked service. For more information, see the documentation for the linked service and [Best practices for workflow actions in Amazon CodeCatalyst](security-best-practices-for-actions.md).
### Key management
CodeCatalyst uses AWS-owned KMS keys. This means that the keys are managed by AWS and the customer doesn't need to create or manage them directly. This simplifies key management for common encryption scenarios within AWS.
## Inter-network traffic privacy
When you create a space in CodeCatalyst, you choose the AWS Region where the data and resources will be stored for that space. Project data and metadata never leaves that AWS Region. However, to support navigation within CodeCatalyst, a limited set of space, project, and user metadata is replicated across all AWS Regions in the [partition](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/partitions.html). It will not be replicated to AWS Regions outside of that partition. For example, if you choose **US West (Oregon)** as the AWS Region when you create your space, your data will not be replicated to Regions in China Regions or AWS GovCloud (US). For more information, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html), [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure), and [AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#region-names-codes).
Data replicated across AWS Regions inside a partition includes:
+ An encrypted hash value that represents the name of the space in order to ensure the uniqueness of space names. This value is not human-readable and does not expose the actual names of spaces
+ The unique ID of the space
+ Metadata for the space that assists in the navigation across spaces
+ The AWS Region where the space is located
+ The unique IDs of all projects in the space
+ The role ID that indicates a user's role in a space or project
+ When signing up for CodeCatalyst, data and metadata about the signup process, including:
+ The unique ID of the AWS Builder ID
+ The display name for the user in their AWS Builder ID
+ The alias of the user in their AWS Builder ID
+ The email address used when the user signed up for their AWS Builder ID
+ The progress of the sign up process
+ If creating a space as part of the sign up process, the AWS account ID that is used as the billing account for the space
Space names are unique across CodeCatalyst. Be sure not to include sensitive data in the name of the space.
When working with linked resources and connected accounts such as a connection to an AWS account or a GitHub repository, we recommend configuring your source and destination locations with the highest level of security that each one supports. CodeCatalyst secures the connection between AWS accounts, AWS Regions, and Availability Zones by using Transport Layer Security (TLS) 1.2.
# Identity and Access Management and Amazon CodeCatalyst
In Amazon CodeCatalyst, you create and use an AWS Builder ID in order to sign in and access your spaces and projects. An AWS Builder ID is not an identity in AWS Identity and Access Management (IAM) and does not exist in an AWS account. However, CodeCatalyst does integrate with IAM when verifying a space for billing purposes, and when connected to an AWS account to create and use resources in that AWS account.
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use resources. IAM is an AWS service that you can use with no additional charge.
When you create a space in Amazon CodeCatalyst, you must connect an AWS account as the billing account for your space. You must have administrator permissions in the AWS account to verify the CodeCatalyst space, or have the permission. You also have the option to add an IAM role for your space that CodeCatalyst can use to create and access resources in that connected AWS account. This is called a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role). You can choose to create connections to more than one AWS account and create service roles for CodeCatalyst in each of those accounts.
**Note**
Billing for CodeCatalyst takes place in the AWS account designated as the billing account. However, if you create a CodeCatalyst service role in that AWS account or in any other connected AWS account, resources created and used by the CodeCatalyst service role will be billed in that connected AWS account. For more information, see [Managing billing](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the Amazon CodeCatalyst Administrator Guide.
**Topics**
+ [Identity-based policies in IAM](#id-based-policies)
+ [Policy actions in IAM](#id-based-policies-actions)
+ [Policy resources in IAM](#id-based-policies-resources)
+ [Policy condition keys in IAM](#id-based-policies-conditionkeys)
+ [Identity-based policy examples for CodeCatalyst connections](#id-based-policy-examples)
+ [Using tags to control access to account connection resources](id-based-policy-examples-tags.md)
+ [CodeCatalyst permissions reference](#permissions-reference)
+ [Using service-linked roles for CodeCatalyst](using-service-linked-roles.md)
+ [AWS managed policies for Amazon CodeCatalyst](security-iam-awsmanpol.md)
+ [Grant access to project AWS resources with IAM roles](ipa-iam-roles.md)
## Identity-based policies in IAM
Identity-based policies are JSON permissions policy documents that you can attach to an identity. That identity could be a user, a group of users, or a role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. You can't specify the principal in an identity-based policy because it applies to the user or role to which it is attached. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Identity-based policy examples for CodeCatalyst
To view examples of CodeCatalyst identity-based policies, see [Identity-based policy examples for CodeCatalyst connections](#id-based-policy-examples).
## Policy actions in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform which **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as *permission-only actions* that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called *dependent actions*.
To specify multiple actions in a single statement, separate them with commas.
```
"Action": [
"prefix:action1",
"prefix:action2"
]
```
## Policy resources in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform which **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. Statements must include either a `Resource` or a `NotResource` element. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). You can do this for actions that support a specific resource type, known as *resource-level permissions*.
For actions that don't support resource-level permissions, such as listing operations, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
## Policy condition keys in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform which **actions** on what **resources**, and under what **conditions**.
The `Condition` element (or `Condition` *block*) lets you specify conditions in which a statement is in effect. The `Condition` element is optional. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request.
If you specify multiple `Condition` elements in a statement, or multiple keys in a single `Condition` element, AWS evaluates them using a logical `AND` operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical `OR` operation. All of the conditions must be met before the statement's permissions are granted.
You can also use placeholder variables when you specify conditions. For more information, see [IAM policy elements: variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the *IAM User Guide*.
AWS supports global condition keys and service-specific condition keys. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
## Identity-based policy examples for CodeCatalyst connections
In CodeCatalyst, AWS accounts are required to manage billing for a space and to access resources in project workflows. An account connection is used to authorize adding AWS accounts to a space. Identity-based polices are used in the connected AWS accounts.
By default, users and roles don't have permission to create or modify CodeCatalyst resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform actions on the resources that they need. The administrator must then attach those policies for users that require them.
The following example IAM policies grant permissions for actions related to account connections. Use them to limit access for connecting accounts to CodeCatalyst.
### Example 1: Allow a user to accept connection requests in a single AWS Region
The following permissions policy only allows users to view and accept requests for connections between CodeCatalyst and AWS accounts. In addition, the policy uses a condition to only allow the actions in the us-west-2 Region and not from other AWS Regions. To view and approve the request, the user signs in to the AWS Management Console with the same account as that specified in the request.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:AcceptConnection",
"codecatalyst:GetPendingConnection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-west-2"
}
}
}
]
}
```
------
### Example 2: Allow managing connections in the console for a single AWS Region
The following permissions policy allows users to manage connections between CodeCatalyst and AWS accounts in a single Region. The policy uses a condition to only allow the actions in the us-west-2 Region and not from other AWS Regions. After you create a connection, you can create the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role by choosing the option in the AWS Management Console. In the example policy, the condition for the `iam:PassRole` action includes the service principals for CodeCatalyst. Only roles with that access will be created in the AWS Management Console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-west-2"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"codecatalyst.amazonaws.com",
"codecatalyst-runner.amazonaws.com"
]
}
}
}
]
}
```
------
### Example 3: Deny managing connections
The following permissions policy denies users any ability to manage connections between CodeCatalyst and AWS accounts.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecatalyst:*"
],
"Resource": "*"
}
]
}
```
------
# Using tags to control access to account connection resources
Tags can be attached to the resource or passed in the request to services that support tagging. Resources in policies can have tags, and some actions in policies can include tags. Tagging condition keys include the `aws:RequestTag` and `aws:ResourceTag` condition keys. When you create an IAM policy, you can use tag condition keys to control the following:
+ Which users can perform actions on a connection resource, based on tags that it already has.
+ Which tags can be passed in an action's request.
+ Whether specific tag keys can be used in a request.
The following examples demonstrate how to specify tag conditions in policies for CodeCatalyst account connections users. For more information about condition keys, see [Policy condition keys in IAM](security-iam.md#id-based-policies-conditionkeys).
## Example 1: Allow actions based on tags in the request
The following policy grants users permission to approve account connections.
To do that, it allows the `AcceptConnection` and `TagResource` actions if the request specifies a tag named `Project` with the value `ProjectA`. (The `aws:RequestTag` condition key is used to control which tags can be passed in an IAM request.) The `aws:TagKeys` condition ensures tag key case sensitivity.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:AcceptConnection",
"codecatalyst:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Project": "ProjectA"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": ["Project"]
}
}
}
]
}
```
------
## Example 2: Allow actions based on resource tags
The following policy grants users permission to perform actions on, and get information about, account connection resources.
To do that, it allows specific actions if the connection has a tag named `Project` with the value `ProjectA`. (The `aws:ResourceTag` condition key is used to control which tags can be passed in an IAM request.)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:GetConnection",
"codecatalyst:DeleteConnection",
"codecatalyst:AssociateIamRoleToConnection",
"codecatalyst:DisassociateIamRoleFromConnection",
"codecatalyst:ListIamRolesForConnection",
"codecatalyst:PutBillingAuthorization"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "ProjectA"
}
}
}
]
}
```
------
## CodeCatalyst permissions reference
This section provides a permissions reference for actions used with the account connection resource for AWS accounts that are connected to CodeCatalyst. The following section describes permissions-only actions that are related to connecting accounts.
### Required permissions for account connections
The following permissions are required for working with account connections.
****
| CodeCatalyst permissions for account connections | Required permissions | Resources |
| --- | --- | --- |
| AcceptConnection | Required to accept a request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| AssociateIamRoleToConnection | Required to associate an IAM role to an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| DeleteConnection | Required to delete an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| DisassociateIamRoleFromConnection | Required to disassociate an IAM role from an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| GetBillingAuthorization | Required to describe the billing authorization for an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| GetConnection | Required to get an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| GetPendingConnection | Required to get a pending request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| ListConnections | Required to list account connections that are not pending. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| ListIamRolesForConnection | Required to list IAM roles associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| ListTagsForResource | Required to list tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| PutBillingAuthorization | Required to create or update the billing authorization for an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| RejectConnection | Required to reject a request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| TagResource | Required to create or edit tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| UntagResource | Required to remove tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
### Required permissions for IAM Identity Center applications
The following permissions are required for working with IAM Identity Center applications.
****
| CodeCatalyst permissions for IAM Identity Center applications | Required permissions | Resources |
| --- | --- | --- |
| AssociateIdentityCenterApplicationToSpace | Required to associate an IAM Identity Center application with a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| AssociateIdentityToIdentityCenterApplication | Required to associate an identity with an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| BatchAssociateIdentitiesToIdentityCenterApplication | Required to associate multiple identities with an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| BatchDisassociateIdentitiesFromIdentityCenterApplication | Required to disassociate multiple identities from an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| CreateIdentityCenterApplication | Required to create an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| CreateSpaceAdminRoleAssignment | Required to create an administrator role assignment for a given CodeCatalyst space and IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| DeleteIdentityCenterApplication | Required to delete an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| DisassociateIdentityCenterApplicationFromSpace | Required to disassociate an IAM Identity Center application from a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| DisassociateIdentityFromIdentityCenterApplication | Required to disassociate an identity from an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| GetIdentityCenterApplication | Required to get information about an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| ListIdentityCenterApplications | Required to view a list of all IAM Identity Center applications in the account. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| ListIdentityCenterApplicationsForSpace | Required to view a list of IAM Identity Center applications by CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| ListSpacesForIdentityCenterApplication | Required to view a list of CodeCatalyst spaces by IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| SynchronizeIdentityCenterApplication | Required to synchronize an IAM Identity Center application with the backing identity store. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| UpdateIdentityCenterApplication | Required to update an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
# Using service-linked roles for CodeCatalyst
Amazon CodeCatalyst uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to CodeCatalyst. Service-linked roles are predefined by CodeCatalyst and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up CodeCatalyst easier because you don’t have to manually add the necessary permissions. CodeCatalyst defines the permissions of its service-linked roles, and unless defined otherwise, only CodeCatalyst can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your CodeCatalyst resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for CodeCatalyst
CodeCatalyst uses the service-linked role named **AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization** – Allows Amazon CodeCatalyst read-only access to application instance profiles and associated directory users and groups on your behalf.
The AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization service-linked role trusts the following services to assume the role:
+ `codecatalyst.amazonaws.com`
The role permissions policy named AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy allows CodeCatalyst to complete the following actions on the specified resources:
+ Action: `View application instance profiles and associated directory users and groups` for `CodeCatalyst spaces that support identity federation and SSO users and groups`
You must configure permissions to allow your users, groups, or roles to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for CodeCatalyst
You don't need to manually create a service-linked role. When you create a space in the AWS Management Console, the AWS CLI, or the AWS API, CodeCatalyst creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the CodeCatalyst service before November 17, 2023, when it began supporting service-linked roles, then CodeCatalyst created the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization role in your account. To learn more, see [A new role appeared in my AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a space, CodeCatalyst creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **View application instance profiles and associated directory users and groups** use case. In the AWS CLI or the AWS API, create a service-linked role with the `codecatalyst.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for CodeCatalyst
CodeCatalyst does not allow you to edit the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for CodeCatalyst
You don't need to manually delete the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization role. When you delete a space in the AWS Management Console, the AWS CLI, or the AWS API, CodeCatalyst cleans up the resources and deletes the service-linked role for you.
You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.
**Note**
If the CodeCatalyst service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete CodeCatalyst resources used by the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization**
+ [Delete the space](https://docs.aws.amazon.com/codecatalyst/latest/userguide/spaces-delete.htm).
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for CodeCatalyst service-linked roles
CodeCatalyst supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).
CodeCatalyst does not support using service-linked roles in every Region where the service is available. You can use the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization role in the following Regions.
****
| Region name | Region identity | Support in CodeCatalyst |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | No |
| US East (Ohio) | us-east-2 | No |
| US West (N. California) | us-west-1 | No |
| US West (Oregon) | us-west-2 | Yes |
| Africa (Cape Town) | af-south-1 | No |
| Asia Pacific (Hong Kong) | ap-east-1 | No |
| Asia Pacific (Jakarta) | ap-southeast-3 | No |
| Asia Pacific (Mumbai) | ap-south-1 | No |
| Asia Pacific (Osaka) | ap-northeast-3 | No |
| Asia Pacific (Seoul) | ap-northeast-2 | No |
| Asia Pacific (Singapore) | ap-southeast-1 | No |
| Asia Pacific (Sydney) | ap-southeast-2 | No |
| Asia Pacific (Tokyo) | ap-northeast-1 | No |
| Canada (Central) | ca-central-1 | No |
| Europe (Frankfurt) | eu-central-1 | No |
| Europe (Ireland) | eu-west-1 | Yes |
| Europe (London) | eu-west-2 | No |
| Europe (Milan) | eu-south-1 | No |
| Europe (Paris) | eu-west-3 | No |
| Europe (Stockholm) | eu-north-1 | No |
| Middle East (Bahrain) | me-south-1 | No |
| Middle East (UAE) | me-central-1 | No |
| South America (São Paulo) | sa-east-1 | No |
| AWS GovCloud (US-East) | us-gov-east-1 | No |
| AWS GovCloud (US-West) | us-gov-west-1 | No |
# AWS managed policies for Amazon CodeCatalyst
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AmazonCodeCatalystSupportAccess
This is a policy that grants permissions for all space administrators and space members to utilize the Business or Enterprise premium support plan associated with the space billing account. These permissions allow space administrators and members to utilitze the premium support plan for the resources they have permissions to within CodeCatalyst permissions policies.
**Permissions details**
This policy includes the following permissions.
+ `support` – Grants permissions to allow users to search for, create, and resolve AWS Support cases. Also grants permissions to describe communications, severity levels, attachments, and related support case details.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"support:DescribeAttachment",
"support:DescribeCaseAttributes",
"support:DescribeCases",
"support:DescribeCommunications",
"support:DescribeIssueTypes",
"support:DescribeServices",
"support:DescribeSeverityLevels",
"support:DescribeSupportLevel",
"support:SearchForCases",
"support:AddAttachmentsToSet",
"support:AddCommunicationToCase",
"support:CreateCase",
"support:InitiateCallForCase",
"support:InitiateChatForCase",
"support:PutCaseAttributes",
"support:RateCaseCommunication",
"support:ResolveCase"
],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonCodeCatalystFullAccess
This is a policy that grants permissions to manage your CodeCatalyst space and connected accounts in the Amazon CodeCatalyst Spaces page in the AWS Management Console. This application is used to configure AWS accounts that are connected to your space in CodeCatalyst.
**Permissions details**
This policy includes the following permissions.
+ `codecatalyst` – Grants full permissions to the Amazon CodeCatalyst Spaces page in the AWS Management Console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CodeCatalystResourceAccess",
"Effect": "Allow",
"Action": [
"codecatalyst:*",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "CodeCatalystAssociateIAMRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"codecatalyst.amazonaws.com",
"codecatalyst-runner.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS managed policy: AmazonCodeCatalystReadOnlyAccess
This is a policy that grants permissions to view and list information for spaces and connected accounts in the Amazon CodeCatalyst Spaces page in the AWS Management Console. This application is used to configure AWS accounts that are connected to your space in CodeCatalyst.
**Permissions details**
This policy includes the following permissions.
+ `codecatalyst` – Grants read-only permissions to the Amazon CodeCatalyst Spaces page in the AWS Management Console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:Get*",
"codecatalyst:List*"
],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy
You can't attach AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy; to your IAM entities. This policy is attached to a service-linked role that allows CodeCatalyst to perform actions on your behalf. For more information, see [Using service-linked roles for CodeCatalyst](using-service-linked-roles.md).
This policy allows customers to view application instance profiles and associated directory users and groups when managing spaces in CodeCatalyst. Customers will view these resources when managing spaces that support identity federation and SSO users and groups.
**Permissions details**
This policy includes the following permissions.
+ `sso` – Grants permissions to allow users to view application instance profiles that are managed in IAM Identity Center for associated spaces in CodeCatalyst.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy",
"Effect": "Allow",
"Action": [
"sso:ListInstances",
"sso:ListApplications",
"sso:ListApplicationAssignments",
"sso:DescribeInstance",
"sso:DescribeApplication"
],
"Resource": "*"
}
]
}
```
------
## CodeCatalyst updates to AWS managed policies
View details about updates to AWS managed policies for CodeCatalyst since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CodeCatalyst [Document history](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy](#security-iam-awsmanpol-AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy) – New policy | CodeCatalyst added the policy. Grants permissions to allow CodeCatalyst users to view application instance profiles and associated directory users and groups. | November 17, 2023 |
| [AmazonCodeCatalystSupportAccess](#security-iam-awsmanpol-AmazonCodeCatalystSupportAccess) – New policy | CodeCatalyst added the policy. Grants permissions to allow CodeCatalyst users to search for, create, and resolve support cases, as well as viewing related communications and details. | April 20, 2023 |
| [AmazonCodeCatalystFullAccess](#security-iam-awsmanpol-AmazonCodeCatalystFullAccess) – New policy | CodeCatalyst added the policy. Grants full access to CodeCatalyst. | April 20, 2023 |
| [AmazonCodeCatalystReadOnlyAccess](#security-iam-awsmanpol-AmazonCodeCatalystReadOnlyAccess) – New policy | CodeCatalyst added the policy. Grants read-only access to CodeCatalyst. | April 20, 2023 |
| CodeCatalyst started tracking changes | CodeCatalyst started tracking changes for its AWS managed policies. | April 20, 2023 |
# Grant access to project AWS resources with IAM roles
CodeCatalyst can access AWS resources by connecting your AWS account to a CodeCatalyst space. You can then create the following service roles and associate them when you connect your account.
For more information about the elements that you use in a JSON policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
+ To access resources in an AWS account for your CodeCatalyst projects and workflows, you must first grant permission for CodeCatalyst to access those resources on your behalf. To do so, you must create a service role in a connected AWS account that CodeCatalyst can assume on behalf of users and projects in the space. You can either choose to create and use the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create customized service roles and configure these IAM policies and roles manually. As a best practice, assign these roles the least amount of permissions necessary.
**Note**
For customized service roles, the CodeCatalyst service principal is required. For more information about the CodeCatalyst service principal and trust model, see [Understanding the CodeCatalyst trust model](trust-model.md).
+ To manage support for a space through the connected AWS account, you can choose to create and use the **AWSRoleForCodeCatalystSupport** service role that allows CodeCatalyst users to access support. For more information about support for a CodeCatalyst space, see [Support for Amazon CodeCatalyst](support.md).
## Understanding the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role
You can add an IAM role for your space that CodeCatalyst can use to create and access resources in a connected AWS account. This is called a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role). The simplest way to create a service role is to add one when you create the space and to choose the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** option for that role. This not only creates the service role with the `AdministratorAccess` attached, but it also creates the trust policy that allows CodeCatalyst to assume the role on behalf of users in projects in the space. The service role is scoped to the space, not to individual projects. To create this role, see [Creating the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role for your account and space](#ipa-iam-roles-service-create). You can only create one role for each space in each account.
**Note**
This role is only recommended for use with development accounts and uses the `AdministratorAccess` AWS managed policy, giving it full access to create new policies and resources in this AWS account.
The policy attached to the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role is designed to work with projects created with blueprints in the space. It allows users in those projects to develop, build, test, and deploy code using resources in the connected AWS account. For more information, see [Creating a role for an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html).
The policy attached to the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role is the `AdministratorAccess` managed policy in AWS. This is a policy that grants full access to all AWS actions and resources. To view the JSON policy document in the IAM console, see [AdministratorAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AdministratorAccess).
The following trust policy allows CodeCatalyst to assume the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role. For more information about the CodeCatalyst trust model, see [Understanding the CodeCatalyst trust model](trust-model.md).
```
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codecatalyst-runner.amazonaws.com",
"codecatalyst.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:codecatalyst:::space/spaceId/project/*"
}
}
}
]
```
## Creating the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role for your account and space
Follow these steps to create the `CodeCatalystWorkflowDevelopmentRole-spaceName` role that will be used for workflows in your space. For each account that you want to have IAM roles for use in projects, to your space, you must add a role such as the developer role.
Before you begin, you must have administrative privileges for your AWS account or be able to work with your administrator. For more information about how AWS accounts and IAM roles are used in CodeCatalyst, see [Allowing access to AWS resources with connected AWS accounts](ipa-connect-account.md).
**To create and add the CodeCatalyst **CodeCatalystWorkflowDevelopmentRole-*spaceName*****
1. Before you start in the CodeCatalyst console, open the AWS Management Console, and then make sure you are logged in with the same AWS account for your space.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. Choose the link for the AWS account where you want to create the role. The **AWS account details** page displays.
1. Choose **Manage roles from AWS Management Console**.
The **Add IAM role to Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst spaces** page. You might need to log in to access the page.
1. Choose **Create CodeCatalyst development administrator role in IAM**. This option creates a service role that contains the permissions policy and trust policy for the development role. The role will have a name `CodeCatalystWorkflowDevelopmentRole-spaceName`. For more information about the role and role policy, see [Understanding the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role](#ipa-iam-roles-service-role).
**Note**
This role is only recommended for use with developer accounts and uses the `AdministratorAccess` AWS managed policy, giving it full access to create new policies and resources in this AWS account.
1. Choose **Create development role**.
1. On the connections page, under **IAM roles available to CodeCatalyst**, view the `CodeCatalystWorkflowDevelopmentRole-spaceName` role in the list of IAM roles added to your account.
1. To return to your space, choose **Go to Amazon CodeCatalyst**.
## Understanding the **AWSRoleForCodeCatalystSupport** service role
You can add an IAM role for your space that CodeCatalyst users in a space can use to create and access support cases. This is called a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) for support.The simplest way to create a service role for support is to add one when you create the space and to choose the `AWSRoleForCodeCatalystSupport` option for that role. This not only creates the policy and the role, but it also creates the trust policy that allows CodeCatalyst to assume the role on behalf of users in projects in the space. The service role is scoped to the space, not to individual projects. To create this role, see [Creating the **AWSRoleForCodeCatalystSupport** role for your account and space](#ipa-iam-roles-support-create).
The policy attached to the `AWSRoleForCodeCatalystSupport` role is managed policy that provides access to support permissions. For more information, see [AWS managed policy: AmazonCodeCatalystSupportAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonCodeCatalystSupportAccess).
The trust role for the policy allows CodeCatalyst to assume the role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codecatalyst.amazonaws.com",
"codecatalyst-runner.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
## Creating the **AWSRoleForCodeCatalystSupport** role for your account and space
Follow these steps to create the `AWSRoleForCodeCatalystSupport` role that will be used for support cases in your space. The role must be added to the designated billing account for the space.
Before you begin, you must have administrative privileges for your AWS account or be able to work with your administrator. For more information about how AWS accounts and IAM roles are used in CodeCatalyst, see [Allowing access to AWS resources with connected AWS accounts](ipa-connect-account.md).
**To create and add the CodeCatalyst **AWSRoleForCodeCatalystSupport****
1. Before you start in the CodeCatalyst console, open the AWS Management Console, and then make sure you are logged in with the same AWS account for your space.
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. Choose the link for the AWS account where you want to create the role. The **AWS account details** page displays.
1. Choose **Manage roles from AWS Management Console**.
The **Add IAM role to Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst Spaces** page. You might need to sign in to access the page.
1. Under **CodeCatalyst space details**, choose **Add CodeCatalyst Support role**. This option creates a service role that contains the permissions policy and trust policy for the preview development role. The role will have a name **AWSRoleForCodeCatalystSupport** with a unique identifier appended. For more information about the role and role policy, see [Understanding the **AWSRoleForCodeCatalystSupport** service role](#ipa-iam-roles-support-role).
1. On the **Add role for CodeCatalyst Support** page, leave the default selected, and then choose **Create role**.
1. Under **IAM roles available to CodeCatalyst**, view the `CodeCatalystWorkflowDevelopmentRole-spaceName` role in the list of IAM roles added to your account.
1. To return to your space, choose **Go to Amazon CodeCatalyst**.
## Configuring IAM roles for workflow actions in CodeCatalyst
This section details IAM roles and policies that you can create to use with your CodeCatalyst account. For instructions to create example roles, see [Creating roles manually for workflow actions](#ipa-iam-roles-actions). After you create your IAM role, copy the role ARN to add the IAM role to your account connection and associate it with your project environment. To learn more, see [Adding IAM roles to account connections](ipa-connect-account-addroles.md).
### CodeCatalyst build role for Amazon S3 access
For CodeCatalyst workflow build actions, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role named **CodeCatalystBuildRoleforS3Access**. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Write to Amazon S3 buckets.
+ Support building of resources with CloudFormation. This requires Amazon S3 access.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst build role for CloudFormation
For CodeCatalyst workflow build actions, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Support building of resources with CloudFormation. This is required along with the CodeCatalyst build role for Amazon S3 access and the CodeCatalyst deploy role for CloudFormation.
The following AWS managed policies should be attached to this role:
+ **AWSCloudFormationFullAccess**
+ **IAMFullAccess**
+ **AmazonS3FullAccess**
+ **AmazonAPIGatewayAdministrator**
+ **AWSLambdaFullAccess**
### CodeCatalyst build role for CDK
For CodeCatalyst workflows that run CDK build actions, such as Modern three-tier web application, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to bootstrap and run CDK build commands for CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Write to Amazon S3 buckets.
+ Support building of CDK constructs and CloudFormation resource stacks. This requires access to Amazon S3 for artifact storage, Amazon ECR for image repository support, and SSM for system governance and monitoring for virtual instances.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for CloudFormation
For CodeCatalyst workflow deploy actions that use CloudFormation, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can use a policy with scoped permissions that CodeCatalyst needs to run tasks on CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Allow CodeCatalyst to invoke a Λ function to perform blue/green deployment through CloudFormation.
+ Allow CodeCatalyst to create and update stacks and changesets in CloudFormation.
This role uses the following policy:
```
{"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"cloudformation:List*",
"iam:PassRole"
],
"Resource": "resource_ARN",
"Effect": "Allow"
}
```
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for Amazon EC2
CodeCatalyst workflow deploy actions use an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon EC2 resources in your AWS account. The default policy for the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role does not include permissions for Amazon EC2 or Amazon EC2 Auto Scaling.
This role gives permissions to do the following:
+ Create Amazon EC2 deployments.
+ Read the tags on an instance or identify an Amazon EC2 instance by Auto Scaling group names.
+ Read, create, update, and delete Amazon EC2 Auto Scaling groups, lifecycle hooks, and scaling policies.
+ Publish information to Amazon SNS topics.
+ Retrieve information about CloudWatch alarms.
+ Read and update Elastic Load Balancing.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for Amazon ECS
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. You can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role for CodeCatalyst deploy actions to use for Lambda deployments. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon ECS resources in your AWS account.
This role gives permissions to do the following:
+ Initiate rolling Amazon ECS deployment on behalf of a CodeCatalyst user, in an account specified in the CodeCatalyst connection.
+ Read, update, and delete Amazon ECS task sets.
+ Update Elastic Load Balancing target groups, listeners, and rules.
+ Invoke Lambda functions.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
+ Publish information to Amazon SNS topics.
This role uses the following policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Action":[
"ecs:DescribeServices",
"ecs:CreateTaskSet",
"ecs:DeleteTaskSet",
"ecs:ListClusters",
"ecs:RegisterTaskDefinition",
"ecs:UpdateServicePrimaryTaskSet",
"ecs:UpdateService",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:ModifyRule",
"lambda:InvokeFunction",
"lambda:ListFunctions",
"cloudwatch:DescribeAlarms",
"sns:Publish",
"sns:ListTopics",
"s3:GetObject",
"s3:GetObjectVersion",
"codedeploy:CreateApplication",
"codedeploy:CreateDeployment",
"codedeploy:CreateDeploymentGroup",
"codedeploy:GetApplication",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentGroup",
"codedeploy:ListApplications",
"codedeploy:ListDeploymentGroups",
"codedeploy:ListDeployments",
"codedeploy:StopDeployment",
"codedeploy:GetDeploymentTarget",
"codedeploy:ListDeploymentTargets",
"codedeploy:GetDeploymentConfig",
"codedeploy:GetApplicationRevision",
"codedeploy:RegisterApplicationRevision",
"codedeploy:BatchGetApplicationRevisions",
"codedeploy:BatchGetDeploymentGroups",
"codedeploy:BatchGetDeployments",
"codedeploy:BatchGetApplications",
"codedeploy:ListApplicationRevisions",
"codedeploy:ListDeploymentConfigs",
"codedeploy:ContinueDeployment"
],
"Resource":"*",
"Effect":"Allow"
},{"Action":[
"iam:PassRole"
],
"Effect":"Allow",
"Resource":"*",
"Condition":{"StringLike":{"iam:PassedToService":[
"ecs-tasks.amazonaws.com",
"codedeploy.amazonaws.com"
]
}
}
}]
}
```
------
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for Lambda
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. You can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or or you create an IAM role for CodeCatalyst deploy actions to use for Lambda deployments. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions to do the following:
+ Read, update, and invoke Lambda functions and aliases.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch Events alarms.
+ Publish information to Amazon SNS topics.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for Lambda
For CodeCatalyst workflow actions, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions to do the following:
+ Read, update, and invoke Lambda functions and aliases.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
+ Publish information to Amazon SNS topics.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for AWS SAM
For CodeCatalyst workflow actions, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on AWS SAM and CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Allow CodeCatalyst to invoke a Lambda function to perform deployment of serverless and AWS SAM CLI applications.
+ Allow CodeCatalyst to create and update stacks and changesets in CloudFormation.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst read only role for Amazon EC2
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon EC2 resources in your AWS account. The **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role does not include permissions for Amazon EC2 or the described actions for Amazon CloudWatch.
This role gives permissions to do the following:
+ Get status of Amazon EC2 instances.
+ Get CloudWatch metrics for Amazon EC2 instances.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst read only role for Amazon ECS
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon ECS resources in your AWS account.
This role gives permissions to do the following:
+ Read Amazon ECS task sets.
+ Retrieve information about CloudWatch alarms.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst read only role for Lambda
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions for the following:
+ Read Lambda functions and aliases.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
This role uses the following policy.
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
## Creating roles manually for workflow actions
CodeCatalyst workflow actions use IAM roles that you create called the **build role**, the **deploy role**, and the **stack role**.
Follow these steps to create these roles in IAM.
**To create a deploy role**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-deploy-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the deploy role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. In **Permissions policies**, search for `codecatalyst-deploy-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-deploy-role
```
1. For **Role description**, enter:
```
CodeCatalyst deploy role
```
1. Choose **Create role**.
You have now created a deploy role with a trust policy and permissions policy.
1. Obtain the deploy role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-deploy-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the deploy role with the appropriate permissions, and obtained its ARN.
**To create a build role**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-build-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the build role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. In **Permissions policies**, search for `codecatalyst-build-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-build-role
```
1. For **Role description**, enter:
```
CodeCatalyst build role
```
1. Choose **Create role**.
You have now created a build role with a trust policy and permissions policy.
1. Obtain the build role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-build-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
**To create a stack role**
**Note**
You don't have to create a stack role, although doing so is recommended for security reasons. If you don't create the stack role, you'll need to add the permissions policies described further on in this procedure to the deploy role.
1. Sign in to AWS using the account where you want to deploy your stack.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**. and then choose **Create role**.
1. At the top, choose **AWS service**.
1. From the list of services, choose **CloudFormation**.
1. Choose **Next: Permissions**.
1. In the search box, add any policies that are required to access the resources in your stack. For example, if your stack includes an AWS Lambda function, you need to add a policy that grants access to Lambda.
**Tip**
If you're unsure which policies to add, you can omit them for now. When you test the action, if you don't have the right permissions, CloudFormation generates errors that show which permissions you need to add.
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. For **Role name**, enter:
```
codecatalyst-stack-role
```
1. Choose **Create role**.
1. To obtain the stack role's ARN, do the following:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-stack-role`).
1. Choose the role from the list.
1. On the **Summary** page, copy the **Role ARN** value.
## Using AWS CloudFormation to create policies and roles in IAM
You can choose to create and use AWS CloudFormation templates to create the policies and roles you need to access resources in an AWS account for your CodeCatalyst projects and workflows. CloudFormation is a service that helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications that run on AWS. If you intend to create roles in multiple AWS accounts, creating a template can help you perform this task more quickly.
The following example template creates a deploy action role and policy.
```
Parameters:
CodeCatalystAccountId:
Type: String
Description: Account ID from the connections page
ExternalId:
Type: String
Description: External ID from the connections page
Resources:
CrossAccountRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref CodeCatalystAccountId
Action:
- 'sts:AssumeRole'
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalId
Path: /
Policies:
- PolicyName: CodeCatalyst-CloudFormation-action-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'cloudformation:CreateStack'
- 'cloudformation:DeleteStack'
- 'cloudformation:Describe*'
- 'cloudformation:UpdateStack'
- 'cloudformation:CreateChangeSet'
- 'cloudformation:DeleteChangeSet'
- 'cloudformation:ExecuteChangeSet'
- 'cloudformation:SetStackPolicy'
- 'cloudformation:ValidateTemplate'
- 'cloudformation:List*'
- 'iam:PassRole'
Resource: '*'
```
## Creating the role manually for the web application blueprint
The CodeCatalyst web application blueprint uses IAM roles that you create called the **build role for CDK**, the **deploy role**, and the **stack role**.
Follow these steps to create the role in IAM.
**To create a build role**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create Policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-webapp-build-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the build role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. Attach the permissions policy to the build role. On the **Add permissions** page, in the **Permissions policies** section, search for `codecatalyst-webapp-build-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-webapp-build-role
```
1. For **Role description**, enter:
```
CodeCatalyst Web app build role
```
1. Choose **Create role**.
You have now created a build role with a trust policy and permissions policy.
1. Attach the permissions policy to the build role, as follows:
1. In the navigation pane, choose **Roles**, and then search for `codecatalyst-webapp-build-role`.``
1. Choose `codecatalyst-webapp-build-role` to display its details.``
1. In the **Permissions** tab, choose **Add permissions**, and then choose **Attach policies**.
1. Search for `codecatalyst-webapp-build-policy`, select its check box, and then choose **Attach policies**.
You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
1. Obtain the build role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-webapp-build-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
## Creating roles manually for the SAM blueprint
The CodeCatalyst SAM blueprint uses IAM roles that you create called the **build role for CloudFormation** and the **deploy role for SAM**.
Follow these steps to create the roles in IAM.
**To create a build role for CloudFormation**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create Policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"cloudformation:*"
],
"Resource": "*"
}
]
}
```
------
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-SAM-build-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the build role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. Attach the permissions policy to the build role. On the **Add permissions** page, in the **Permissions policies** section, search for `codecatalyst-SAM-build-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-SAM-build-role
```
1. For **Role description**, enter:
```
CodeCatalyst SAM build role
```
1. Choose **Create role**.
You have now created a build role with a trust policy and permissions policy.
1. Attach the permissions policy to the build role, as follows:
1. In the navigation pane, choose **Roles**, and then search for `codecatalyst-SAM-build-role`.``
1. Choose `codecatalyst-SAM-build-role` to display its details.``
1. In the **Permissions** tab, choose **Add permissions**, and then choose **Attach policies**.
1. Search for `codecatalyst-SAM-build-policy`, select its check box, and then choose **Attach policies**.
You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
1. Obtain the build role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-SAM-build-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
**To create a deploy role for SAM**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create Policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-SAM-deploy-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the build role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. Attach the permissions policy to the build role. On the **Add permissions** page, in the **Permissions policies** section, search for `codecatalyst-SAM-deploy-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-SAM-deploy-role
```
1. For **Role description**, enter:
```
CodeCatalyst SAM deploy role
```
1. Choose **Create role**.
You have now created a build role with a trust policy and permissions policy.
1. Attach the permissions policy to the build role, as follows:
1. In the navigation pane, choose **Roles**, and then search for `codecatalyst-SAM-deploy-role`.``
1. Choose `codecatalyst-SAM-deploy-role` to display its details.``
1. In the **Permissions** tab, choose **Add permissions**, and then choose **Attach policies**.
1. Search for `codecatalyst-SAM-deploy-policy`, select its check box, and then choose **Attach policies**.
You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
1. Obtain the build role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-SAM-deploy-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
# Compliance validation for Amazon CodeCatalyst
To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/).
# Resilience in Amazon CodeCatalyst
The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). To learn more about what CodeCatalyst data is replicated across AWS Regions, see [Data protection in Amazon CodeCatalyst](data-protection.md).
# Infrastructure Security in Amazon CodeCatalyst
As a managed service, Amazon CodeCatalyst is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access CodeCatalyst through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
# Configuration and vulnerability analysis in Amazon CodeCatalyst
Configuration and IT controls are a shared responsibility between AWS and you, our customer. For more information, see the AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/).
# Your data and privacy in Amazon CodeCatalyst
Amazon CodeCatalyst takes your privacy seriously, and the security of your information is our top priority. You can review more about how we handle your information in the [AWS Privacy Notice](https://aws.amazon.com/privacy/).
To request and view your data, see [Requesting your data](https://docs.aws.amazon.com/general/latest/gr/privacy-aws_builder_id.html#request-delete-aws_builder_id) in the AWS General Reference.
## Deleting your AWS Builder ID profile
Deleting your profile is a permanent action that cannot be reversed. The deletion process begins immediately after you choose **Delete**. Amazon CodeCatalyst starts deleting your profile and all associated personal information. This process may take up to 90 days to complete.
When your profile is deleted, you cannot access or recover your data in Amazon CodeCatalyst. This includes Personal Access Tokens, Roles, User Memberships, and any Amazon CodeCatalyst spaces of which you are the only member. You can no longer sign in to Amazon CodeCatalyst.
For information on how to delete your AWS Builder ID profile, see [Deleting your AWS Builder ID](https://docs.aws.amazon.com/general/latest/gr/delete-aws_builder_id.html) in the AWS General Reference.
# Best practices for workflow actions in Amazon CodeCatalyst
There are a number of security best practices to consider as you develop your workflows in CodeCatalyst. The following are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.
**Topics**
+ [Sensitive information](#sensitive-info)
+ [Licensing terms](#licensing-terms)
+ [Untrusted code](#untrusted-code)
+ [GitHub Actions](#github-actions)
## Sensitive information
Do not embed sensitive information in your YAML. Rather than embedding credentials, keys, or tokens in your YAML, we recommend you use CodeCatalyst secrets. Secrets provide an easy way to store and reference sensitive information from within your YAML.
## Licensing terms
Make sure to pay attention to the licensing terms of the action you choose to use.
## Untrusted code
Actions are generally self-contained, single purpose modules that can be shared across a project, space, or the broader community. Using code from others can be a great convenience and efficiency gain, but also introduces a new threat vector. Review the following sections to ensure you’re following best practices to keep your CI/CD workflows secure.
## GitHub Actions
GitHub Actions are open source, built and maintained by the community. We follow the [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) and consider GitHub Actions source code as customer data for which you are responsible. GitHub Actions can be granted access to secrets, repository tokens, source code, account links, and your compute time. Make sure you are confident in the trustworthiness and security of the GitHub Actions you plan to run.
More specific guidance and security best practices for GitHub Actions:
+ [Security hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
+ [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
+ [Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/)
+ [How to trust your building blocks](https://securitylab.github.com/research/github-actions-building-blocks/)
# Understanding the CodeCatalyst trust model
The Amazon CodeCatalyst trust model allows CodeCatalyst to assume the service role in the connected AWS account. The model connects the IAM role, the CodeCatalyst service principals, and the CodeCatalyst space. The trust policy uses the `aws:SourceArn` condition key to grant permissions to the CodeCatalyst space specified in the condition key. For more information about this condition key, see [aws:SourceArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) in the *IAM User Guide*.
A trust policy is a JSON policy document in which you define the principals that you trust to assume the role. A role trust policy is a required resource-based policy that is attached to a role in IAM. For more information, see [Terms and concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) in the *IAM User Guide*. For details about the service principals for CodeCatalyst, see [Service principals for CodeCatalyst](#service-principals).
In the following trust policy, the service principals listed in the `Principal` element are granted permissions from the resource-based policy, and the `Condition` block is used to limit access to the scoped-down resource.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codecatalyst-runner.amazonaws.com",
"codecatalyst.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:codecatalyst:::space/spaceId/project/*"
}
}
}
]
}
```
------
In the trust policy, the CodeCatalyst service principals are given access through the `aws:SourceArn` condition key, which contains the Amazon Resource Name (ARN) for the CodeCatalyst space ID. The ARN uses the following format:
```
arn:aws:codecatalyst:::space/spaceId/project/*
```
**Important**
Use the space ID only in condition keys, such as `aws:SourceArn`. Do not use the space ID in IAM policy statements as a resource ARN.
As a best practice, scope down permissions as much as possible in the policy.
+ You can use the wildcard (\$1) in the `aws:SourceArn` condition key for specifying all projects in the space with `project/*`.
+ You can specify resource-level permissions in the `aws:SourceArn` condition key for a specific project in the space with `project/projectId`.
## Service principals for CodeCatalyst
You use the `Principal` element in a resource-based JSON policy to specify the principal that is allowed or denied access to a resource. The principals that you can specify in the trust policy include users, roles, accounts, and services. You cannot use the `Principal` element in an identity-based policy; similarly, you cannot identify a user group as a principal in a policy (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
In the trust policy, you can specify AWS services in the `Principal` element of a resource-based policy or in condition keys that support principals. Service principals are defined by the service. The following are the service principals defined for CodeCatalyst:
+ **codecatalyst.amazonaws.com** - This service principal is used for a role that will grant CodeCatalyst access to AWS.
+ **codecatalyst-runner.amazonaws.com** - This service principal is used for a role that will grant CodeCatalyst access to AWS resources in deployments for CodeCatalyst workflows.
For more information, see [AWS JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.