AWS CodeCommit
User Guide (API Version 2015-04-13)

AWS Key Management Service and Encryption for AWS CodeCommit Repositories

Data in AWS CodeCommit repositories is encrypted in transit and at rest. When data is pushed into an AWS CodeCommit repository (for example, by calling git push), AWS CodeCommit encrypts the received data as it is stored in the repository. When data is pulled from an AWS CodeCommit repository (for example, by calling git pull), AWS CodeCommit decrypts the data and then sends it to the caller. This assumes the IAM user associated with the push or pull request has been authenticated by AWS. Data sent or received is transmitted using the HTTPS or SSH encrypted network protocols.

The first time you create an AWS CodeCommit repository in a new region in your AWS account, AWS CodeCommit creates an AWS-managed key in that same region in AWS Key Management Service (AWS KMS) that is used only by AWS CodeCommit (the aws/codecommit key). This key is created and stored in your AWS account. AWS CodeCommit uses this AWS-managed key to encrypt and decrypt the data in this and all other AWS CodeCommit repositories within that region in your AWS account.


AWS CodeCommit performs the following AWS KMS actions against the default key aws/codecommit. An IAM user does not need explicit permissions for these actions, but the user must not have any attached policies that deny these actions for the aws/codecommit key. Specifically, your AWS account must not have any of the following permissions set to deny when creating your first repository:

  • "kms:Encrypt"

  • "kms:Decrypt"

  • "kms:ReEncrypt"

  • "kms:GenerateDataKey"

  • "kms:GenerateDataKeyWithoutPlaintext"

  • "kms:DescribeKey"

To see information about the AWS-managed key generated by AWS CodeCommit, do the following:

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the service navigation pane, choose Encryption Keys. (If a welcome page appears, choose Get Started Now.)

  3. In Filter, choose the region for your repository. For example, if the repository was created in us-east-2, make sure the filter is set to US East (Ohio).

  4. In the list of encryption keys, choose the AWS-managed key with the alias aws/codecommit. Basic information about the AWS-managed key will be displayed.

You cannot change or delete this AWS-managed key. You cannot use a customer-managed key in AWS KMS to encrypt or decrypt data in AWS CodeCommit repositories.

Encryption Context

Each service integrated with AWS KMS specifies an encryption context for both the encryption and decryption operations. The encryption context is additional authenticated information AWS KMS uses to check for data integrity. When specified for the encryption operation, it must also be specified in the decryption operation or decryption will fail. AWS CodeCommit uses the AWS CodeCommit repository ID for the encryption context. You can find the repository ID by using the get-repository command or by viewing repository details in the AWS CodeCommit console. Search for the AWS CodeCommit repository ID in AWS CloudTrail logs to understand which encryption operations were taken on which key in AWS KMS to encrypt or decrypt data in the AWS CodeCommit repository.

For more information about AWS KMS, see the AWS Key Management Service Developer Guide.

On this page: