Amazon Key Management Service and encryption for Amazon CodeCommit repositories - Amazon CodeCommit
How encryption algorithms are used to encrypt repository dataEncryption context
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Key Management Service and encryption for Amazon CodeCommit repositories

Data in CodeCommit repositories is encrypted in transit and at rest. When data is pushed into a CodeCommit repository (for example, by calling git push), CodeCommit encrypts the received data as it is stored in the repository. When data is pulled from a CodeCommit repository (for example, by calling git pull), CodeCommit decrypts the data and then sends it to the caller. This assumes the IAM user associated with the push or pull request has been authenticated by Amazon. Data sent or received is transmitted using the HTTPS or SSH encrypted network protocols.

You can use either an Amazon managed key or a customer managed key for encrypting and decrypting the data in your repository. For more information about the differences between customer managed keys and Amazon managed keys, see Customer managed keys and Amazon managed keys. If you don't specify a customer managed key, CodeCommit will use an Amazon managed key for encrypting and decrypting the data in your repository. This Amazon managed key is created automatically for you in your Amazon Web Services account. The first time you create a CodeCommit repository in a new Amazon Web Services Region in your Amazon Web Services account, if you don't specify a customer managed key, CodeCommit creates an Amazon managed key (the aws/codecommit key) in that same Amazon Web Services Region in Amazon Key Management Service (Amazon KMS). This aws/codecommit key is used only by CodeCommit. It is stored in your Amazon Web Services account. Depending on what you specify, CodeCommit either uses the customer managed key or the Amazon managed key to encrypt and decrypt the data in the repository.

Important

CodeCommit performs the following Amazon KMS actions against the Amazon KMS key used to encrypt and decrypt data in a repository. If you're using an Amazon managed key, a user does not need explicit permissions for these actions, but the user must not have any attached policies that deny these actions for the aws/codecommit key. If you are using a customer managed key that has an Amazon Web Services account ID set as a policy principal for that key, these permissions must be explicitly set to allow. Specifically, when you create your first repository, and if you update keys for your repository, you must not have any of the following permissions set to deny if you are using a Amazon managed key, and must be set to allow if you are using a customer managed key with a policy principal:

  • "kms:Encrypt"

  • "kms:Decrypt"

  • "kms:ReEncrypt" (depending on context, this could require kms:ReEncryptFrom,

    kms:ReEncryptTo, or kms:ReEncrypt* not set to deny)

  • "kms:GenerateDataKey"

  • "kms:GenerateDataKeyWithoutPlaintext"

  • "kms:DescribeKey"

If you want to use your own customer managed key, the key must be available in the Amazon Web Services Region where the repository exists. CodeCommit supports using both single and multi-Region customer managed keys. While all key material origin types are supported, we recommend using the default KMS option. Customers using the External key store option might experience delays from their store provider. In addition. CodeCommit has the following requirements for customer managed keys:

  • CodeCommit only supports using symmetric keys.

  • The key usage type must be set to Encrypt and decrypt.

For more information on creating customer managed keys, see Concepts and Creating keys.

To see information about the Amazon managed key generated by CodeCommit, do the following:

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the service navigation pane, choose Amazon managed keys. Make sure that you are signed in to the Amazon Web Services Region where you want to review keys.

  4. In the list of encryption keys, choose the Amazon managed key with the alias aws/codecommit. Basic information about the Amazon owned key is displayed.

You cannot change or delete this Amazon managed key.

How encryption algorithms are used to encrypt repository data

CodeCommit uses two different approaches for encrypting data. Individual Git objects under 6 MB are encrypted using AES-GCM-256, which provides data integrity validation. Objects between 6 MB and the maximum 2 GB for a single blob are encrypted using AES-CBC-256. CodeCommit always validates the encryption context.

Encryption context

Each service integrated with Amazon KMS specifies an encryption context for both the encryption and decryption operations. The encryption context is additional authenticated information Amazon KMS uses to check for data integrity. When specified for the encryption operation, it must also be specified in the decryption operation. Otherwise, decryption fails. CodeCommit uses the CodeCommit repository ID for the encryption context. You can use the get-repository command or the CodeCommit console to find the repository ID. Search for the CodeCommit repository ID in Amazon CloudTrail logs to understand which encryption operations were taken on which key in Amazon KMS to encrypt or decrypt data in the CodeCommit repository.

For more information about Amazon KMS, see the Amazon Key Management Service Developer Guide.