A large company uses AWS CodeCommit to manage its source code. There are over a hundred of repositories and many teams are working on different projects. As a DevOps engineer, you need to allocate suitable access to different users. For example, development team should not access the repositories that contain sensitive data. How should you manage this?

Answer options:

A.Tag repositories in AWS CodeCommit. Create policies in IAM that allow or deny actions on repositories based on the tags associated with repositories.
B.In AWS CodeCommit console, create CodeCommit policies to IAM groups that allow or deny actions on repositories.
C.Configure Git tags in AWS CodeCommit repositories. Create policies in IAM that allow or deny actions on repositories based on the Git tags.
D.In IAM, for each IAM user, add an IAM policy that allows or denies actions on repositories based on repository names.

Correct Answer – A
In July 2019, CodeCommit has a new feature to support adding tags in its repositories. For details refer to https://aws.amazon.com/about-aws/whats-new/2019/07/aws-codecommit-now-supports-resource-tagging/.
Option A is CORRECT: Because with tags, an IAM policy can be easily configured to control the access. For example:
{
"Version": "2012-10-17",
"Statement" : [
{
"Effect" : "Deny",
"Action" : "codecommit:*"
"Resource" : "*",
"Condition" : {
 "StringEquals" : "aws:ResourceTag/Department": "BigData"
}
}
]
}
Option B is incorrect: Because there is no CodeCommit policy. In this case, IAM policy should be used.
Option C is incorrect: Although Git tag is supported in CodeCommit, in this scenario, tags of repositories should be used instead of Git tags.
Option D is incorrect: The company owns over a hundred of repositories. It is inappropriate and inefficient to create an IAM policy per IAM user based on repository names.