Let's get started with that, and perform the following operations:
First of all, let's create a custom policy where we will give the restriction definition.
Go to IAM Console and click on the Policies section. Then, click on Create Policy:
Click on Create Your Own Policy:
You will be redirected to another page where you have to fill in the Policy Name, a description of the policy, and a policy document. The policy document will be the definition, where we will mention the resources and actions:
Insert the following policy definition (x60xxxxxxx39 will be basically your account ID):
Click on Create Policy;then we will have our own custom policy:
Now, let's remove the AWSCodeCommitPowerUser access from the IAM user that we created to clone the repository by clicking on x:
Click on Add permissions, after that click on Attach Existing Policies Directly and search for Policy name in filter, check that, and save it:
We will have a user with only our custom policy, which means the user will only have access to the HelloWorld repository and only two actions, git push and git clone:
awsstar@awsstar:~$ aws codecommit list-repositories An error occurred (AccessDeniedException) when calling the ListRepositories operation: User: arn:aws:iam::16xxxxxx139:user/awsccuser is not authorized to perform: codecommit:ListRepositories
The preceding command output shows AccessDeniedException, that is,awsccuser is not authorized to perform codecommit:ListRepositories. The reason for this is we have given access to only two operations or actions: git push and git clone.