AWS Key Management Service and encryption for AWS CodeCommit repositories - AWS CodeCommit

AWS Key Management Service and encryption for AWS CodeCommit repositories

Data in CodeCommit repositories is encrypted in transit and at rest. When data is pushed into a CodeCommit repository (for example, by calling git push), CodeCommit encrypts the received data as it is stored in the repository. When data is pulled from a CodeCommit repository (for example, by calling git pull), CodeCommit decrypts the data and then sends it to the caller. This assumes the IAM user associated with the push or pull request has been authenticated by AWS. Data sent or received is transmitted using the HTTPS or SSH encrypted network protocols.

The first time you create a CodeCommit repository in a new AWS Region in your Amazon Web Services account, CodeCommit creates an AWS managed key (the aws/codecommit key) in that same AWS Region in AWS Key Management Service (AWS KMS). This key is used only by CodeCommit (the aws/codecommit key). It is stored in your Amazon Web Services account. CodeCommit uses this AWS managed key to encrypt and decrypt the data in this and all other CodeCommit repositories within that region in your Amazon Web Services account.


CodeCommit performs the following AWS KMS actions against the default aws/codecommit key. An IAM user does not need explicit permissions for these actions, but the user must not have any attached policies that deny these actions for the aws/codecommit key. Specifically, when you create your first repository, your IAM user must not have any of the following permissions set to deny:

  • "kms:Encrypt"

  • "kms:Decrypt"

  • "kms:ReEncrypt" (depending on context, this could require kms:ReEncryptFrom,

    kms:ReEncryptTo, or kms:ReEncrypt* not set to deny)

  • "kms:GenerateDataKey"

  • "kms:GenerateDataKeyWithoutPlaintext"

  • "kms:DescribeKey"

To see information about the AWS managed key generated by CodeCommit, do the following:

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the service navigation pane, choose AWS managed keys. Make sure that you are signed in to the AWS Region where you want to review keys.

  4. In the list of encryption keys, choose the AWS managed key with the alias aws/codecommit. Basic information about the AWS owned key is displayed.

You cannot change or delete this AWS managed key. You cannot use a customer managed key in AWS KMS to encrypt or decrypt data in CodeCommit repositories.

How encryption algorithms are used to encrypt repository data

CodeCommit uses two different approaches for encrypting data. Individual Git objects under 6 MB are encrypted using AES-GCM-256, which provides data integrity validation. Objects between 6 MB and the maximum 2 GB for a single blob are encrypted using AES-CBC-256. CodeCommit always validates the encryption context.

Encryption context

Each service integrated with AWS KMS specifies an encryption context for both the encryption and decryption operations. The encryption context is additional authenticated information AWS KMS uses to check for data integrity. When specified for the encryption operation, it must also be specified in the decryption operation. Otherwise, decryption fails. CodeCommit uses the CodeCommit repository ID for the encryption context. You can use the get-repository command or the CodeCommit console to find the repository ID. Search for the CodeCommit repository ID in AWS CloudTrail logs to understand which encryption operations were taken on which key in AWS KMS to encrypt or decrypt data in the CodeCommit repository.

For more information about AWS KMS, see the AWS Key Management Service Developer Guide.