security overview of amazon codeguru reviewer

Security Overview ofAmazon CodeGuru Reviewer

AWS Whitepaper

Security Overview of AmazonCodeGuru Reviewer AWS Whitepaper

Security Overview of Amazon CodeGuru Reviewer: AWS WhitepaperCopyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.


Table of ContentsAbstract and introduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

Introduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Are you Well-Architected? .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Security for Amazon CodeGuru Reviewer .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Workflows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Pull Request workflow and Repository Analysis workflow ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Security analysis workflow and CI integrated workflow ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Data retention and protection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Data encryption .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6VPC endpoints (AWS PrivateLink) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Infrastructure security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Amazon S3 bucket protection in the Security and CI workflow ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7IAM roles and permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Logging and monitoring .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Logging CodeGuru Reviewer API calls with AWS CloudTrail .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Monitoring CodeGuru Reviewer with Amazon CloudWatch .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Amazon CodeGuru Reviewer repository support ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9The Shared Responsibility Model ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Contributors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Further reading .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Document history .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Notices .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Appendix A: Document glossary .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Amazon CodeGuru Reviewer Terminology .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Amazon CodeGuru Profiler Terminology .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Related Services Terminology .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

AWS glossary .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

iii


Introduction

Security Overview of AmazonCodeGuru Reviewer

Publication date: August 3, 2021 (Document history (p. 15))

This whitepaper provides a security overview of Amazon CodeGuru and how it safeguards customer’sdata, manages data retention, and how intelligent recommendations are generated and published. Thispaper also provides guidance on securely using Amazon CodeGuru Reviewer in your environment.

The intended audience for this whitepaper is Chief Information Security Officers (CISOs), informationsecurity groups, security analysts, enterprise architects, compliance teams, developers, and anyoneinterested in understanding the security design principles of the Amazon CodeGuru service.

IntroductionAmazon CodeGuru is a developer tool that provides intelligent recommendations to help improve yourcode quality and identify an application’s most expensive lines of code. Human code reviewers can beexpensive, hard to scale, and may miss potential bugs introduced with new software code.

Amazon CodeGuru is made up of two components to provide recommendations: CodeGuru Reviewerwhich runs automated code reviews and carries out static code analysis, and CodeGuru Profiler whichevaluates dynamic application performance at runtime. Provided recommendations are generatedusing machine learning (ML) models that have been trained from millions of code-reviews and tens ofthousands of application profiles conducted within Amazon and open-source projects.

Amazon CodeGuru Overview

Amazon CodeGuru Reviewer is a valuable software development tool. However, it is a complement tohuman code reviewers and is not designed to be a replacement. Human code reviews traditionally focus

1

http://aws.amazon.com/codeguru/


Are you Well-Architected?

on business logic, while Amazon CodeGuru evaluates functional correctness of software code and canprovide recommendations to reduce software code defects.

You can associate CodeGuru Reviewer with a repository to allow CodeGuru Reviewer to providerecommendations by automatically analyzing pull requests and running checks on the code in yourbranch. Enabling CodeGuru Reviewer will help improve code quality and agility across your teams.

In this whitepaper, we will focus on the various functionalities integrated into CodeGuru Reviewer servicethat provide security to the code-review operations and assist with protecting customer data. We alsohighlight best practices for securely using the service and gain an insight into the operations carried outwithin the service.

Are you Well-Architected?The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you makewhen building systems in the cloud. The six pillars of the Framework allow you to learn architectural bestpractices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems.Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you canreview your workloads against these best practices by answering a set of questions for each pillar.

For more expert guidance and best practices for your cloud architecture—reference architecturedeployments, diagrams, and whitepapers—refer to the AWS Architecture Center.

2

http://aws.amazon.com/architecture/well-architected/

http://aws.amazon.com/well-architected-tool/

https://console.aws.amazon.com/wellarchitected

http://aws.amazon.com/architecture/


Workflows

Security for Amazon CodeGuruReviewer

This section describes the various functionalities integrated into the CodeGuru Reviewer service and thebest practices to follow for providing security to the code-review operations and for protecting customerdata.

Topics

• Workflows (p. 3)

• Data retention and protection (p. 6)

• Data encryption (p. 6)

• VPC endpoints (AWS PrivateLink) (p. 6)

• Infrastructure security (p. 7)

• Amazon S3 bucket protection in the Security and CI workflow (p. 7)

• IAM roles and permissions (p. 7)

• Logging and monitoring (p. 8)

• Amazon CodeGuru Reviewer repository support (p. 9)

• The Shared Responsibility Model (p. 11)

WorkflowsAmazon CodeGuru Reviewer can be invoked by multiple different workflows.

Below is a review of the actions carried out within the CodeGuru service for each workflow and thesecurity considerations. Table 1 summarizes the details of each workflow.

• Pull Request workflow: Once the repository is associated with CodeGuru, using either the dashboard,AWS CLI, or AWS APIs, a developer creates a pull-request to invoke CodeGuru Reviewer to scan theadded or modified code and provide recommendations.

• Repository Analysis workflow: This workflow is invoked by using the CodeGuru Reviewer, AWS CLI, orAWS SDK APIs, and carries out code quality analysis on the full repository.

• Security analysis workflow: This workflow is invoked from the CodeGuru Reviewer dashboard andcarries out a security and code quality analysis. This workflow allows CodeGuru Reviewer to create anAmazon Simple Storage Service (Amazon S3) bucket where the source code and build artifact will bestored for analysis. The S3 bucket contains the minimum AWS Identity and Access Management (IAM)permissions required for CodeGuru Reviewer to perform a code and security review.

• CI integrated workflow: This workflow is invoked from within the integrated CI workflow, and carriesout a security and code quality analysis. This workflow creates an S3 bucket (if one does not alreadyexist). The S3 bucket contains the minimum IAM permissions required for CodeGuru Reviewer toperform a code and security review.

Table 1- Details of invoked workflows

3


Pull Request workflow and Repository Analysis workflow

Workflow name Code Review Type Operationaltriggers

Code stagingbefore codeanalysis

Language support

Pull-requestworkflow

Code QualityAnalysis

Pull Request AssociatedRepository

Java, Python

Repositoryanalysis workflow

Code QualityAnalysis

Repositoryanalysis

AssociatedRepository

Java, Python

Security analysisworkflow

Security + CodeQuality Analysis

Repositoryanalysis

S3 bucket Java

CI integratedworkflow

Security Analysis CI triggerdefinition

S3 bucket Java

Pull Request workflow and Repository AnalysisworkflowIn a standard pull-request (PR) workflow, a developer will start by associating a code repository such asGitHub or AWS CodeCommit with Amazon CodeGuru.

Amazon CodeGuru Reviewer pull-request workflow

Once the repository is associated, CodeGuru is automatically subscribed to pull-request notificationsfrom the repository. When a developer creates a pull-request, a notification is sent to the CodeGuruReviewer Service. CodeGuru executes a git clone and securely pulls the customer code into an ephemeralAWS ECS Fargate container instance. This instance is dedicated to the request and has single tenancyper ephemeral container. CodeGuru Reviewer uses this instance to run analysis and inference in asandboxed environment. The sandboxed environment offers VM level isolation between its tasks.Since the container runs in an access restricted Amazon Virtual Private Cloud (Amazon VPC), thecustomer code is protected from external access (that is, SSH or SCP) sessions. Once the code analysisis completed, the recommendations are generated and published on the repository, initiating the pullrequest as comments. The recommendations are then stored on CodeGuru service’s code-reviews history.Subsequently, regardless of whether the analysis completes successfully or fails, the code on thesecontainers is deleted by the service and the containers are removed.

4


Security analysis workflow and CI integrated workflow

The same process is followed for full repository package scan workflow.

Security analysis workflow and CI integratedworkflowThis workflow is from the CodeGuru dashboard console or from within an integrated CI workflow.

Amazon CodeGuru Reviewer integrated CI workflow

In this workflow, you create an S3 bucket which must include a specific prefix codeguru-reviewer-with a secure bucket policy for CodeGuru Reviewer analysis. This bucket will be used to upload a copyof your software source code and build artifact. This S3 bucket is created once per Region for CodeGuruReviewer service and is utilized for subsequent security code-review requests.

CodeGuru copies the contents to the internal ephemeral artifact storage that is not exposed to theuser. This artifact storage layer consists of an S3 bucket used to store code and artifacts (different fromthe above user-facing S3 bucket created) and DynamoDB tables used to store metadata informationabout the code review request in the CodeGuru Reviewer service account. An ephemeral AWS ECSFargate container instance is also instantiated and dedicated to the request and has single tenancyper ephemeral container. CodeGuru Reviewer uses this instance to run analysis and inference in asandboxed environment. The sandboxed environment offers VM level isolation between its tasks. Sincethe container runs in an access restricted VPC, the customer code is protected from any external access,for example, SSH or SCP sessions. Once the code analysis is completed, the recommendations aregenerated and published to the user. Using an S3 lifecycle policy to expire objects, Amazon CodeGuruReviewer removes the customer code, which is stored and encrypted, from its internal ephemeral artifactstorage within three calendar days. The user-facing S3 bucket is not deleted at the end of the codereview.

5


Data retention and protection

Data retention and protectionFor each of the workflows discussed, code will be fetched to generate recommendations using a pre-trained SageMaker model.

The recommendation text is generated by the model and encrypted using service owned KMS keys(formerly CMK). These service owned CMKs are a collection of CMKs that an AWS service owns andmanages for use in multiple AWS accounts. For each recommendation, metadata is stored only withinformation such as line number, start and end line of the recommendation, file path, and repositoryname. The Reviewer Sagemaker models are pre-trained and do not learn from customer code reviews.Amazon CodeGuru Reviewer will purge the recommendation text after 90 days.

Amazon CodeGuru Reviewer stores the following items to create code reviews:

• Repository metadata (for example, the name and owner of a repository)• Recommendations generated by CodeGuru Reviewer• Pull request metadata (for example, the author and branch of a pull request)• Feedback submitted by customers about code reviews

Amazon CodeGuru Reviewer maintains a history of code-reviews by storing the line number, a link tocode, and metadata for 90 days.

Amazon CodeGuru stores the recommendations (encrypted with KMS service key) that are generatedfrom repository analysis or security analysis, for 90 days. After 90 days, both the recommendations andpull requests jobs metadata will be purged from the service.

Once you have disassociated a code repository from Amazon CodeGuru, it no longer has access to eventsgenerated by source code repository (webhook).

Data encryptionBoth data at rest and data in transit are encrypted by default in Amazon CodeGuru Reviewer.

• Encryption of data at rest: Data collected by CodeGuru Reviewer is stored using Amazon S3 andAmazon DynamoDB, that are not exposed to the user. As explained previously, the data is encryptedusing their native data-at-rest encryption capabilities.

• Encryption of data in transit: Communication between customers and CodeGuru Reviewer andbetween CodeGuru Reviewer and its downstream dependencies is protected using TLS connectionsthat are signed using the Signature Version 4 signing process. All CodeGuru Reviewer endpoints useSHA-256 certificates that are managed by AWS Certificate Manager Private Certificate Authority.

VPC endpoints (AWS PrivateLink)You can use VPC endpoints when you call Amazon CodeGuru Reviewer APIs. When you use VPCendpoints, your API calls are more secure because they are contained within your VPC and do nottraverse across the public internet. We recommend using VPC endpoints as a security best practice toprotect the API calls, especially when programmatically accessing the service.

You can establish a private connection between your VPC and CodeGuru Reviewer by creating aninterface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology thatenables you to privately access CodeGuru Reviewer APIs without an internet gateway, NAT device, VPN

6

http://aws.amazon.com/privatelink


Infrastructure security

connection, or AWS Direct Connect connection. Instances in your VPC do not need public IP addresses tocommunicate with CodeGuru Reviewer APIs. Traffic between your VPC and CodeGuru Reviewer does notleave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

CodeGuru Reviewer supports making calls to all of its API’s from your VPC. VPC endpoints are supportedbut VPC endpoint policies are not supported for CodeGuru Reviewer. By default, full access to CodeGuruReviewer is allowed through the endpoint.

Infrastructure securityYou can use AWS published API calls to access CodeGuru Reviewer through the network; however, clientsmust support Transport Layer Security (TLS) 1.0 or later (we recommend TLS 1.2 or later). Clients mustalso support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) orElliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later supportthese modes.

Requests must be signed by using an access key ID and a secret access key that is associated with anIAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary securitycredentials to sign requests.

Amazon S3 bucket protection in the Security andCI workflow

When code reviews are conducted using the security analysis workflow (p. 5) or CI integratedworkflow (p. 5) in Table 1, it creates a new S3 bucket in your account for that Region so theCodeGuru service can conduct the code review. This S3 bucket is used to store the source code and buildartifacts as .zip files, and is retained in this region for subsequent code-reviews dedicated to CodeGuruReviewer. The S3 bucket contains the minimum IAM permissions required for CodeGuru Reviewer toperform the code security analysis.

CodeGuru Reviewer requires only one S3 bucket to store the source code and build artifacts to conductthe code reviews for each of its workflows. However, you can create new repositories, or prefixes, in theS3 bucket for subsequent code reviews. Typically, a new repository is created for a different application.

We recommend that you don’t change the assigned permissions for the S3 bucket and maintainminimum permissions for carrying out the expected tasks.

IAM roles and permissionsCodeGuru Reviewer may be used by any of the following user personas:

• Developer (Service user): This user regularly uses CodeGuru Reviewer service to conduct code reviews.

• CodeGuru Administrator (Service administrator): The administrator determines which CodeGuruReviewer features and resources employees should access, and provides the appropriate permissions totheir IAM roles.

• IAM Administrator: A security authority that delegates necessary permissions to various serviceadministrators.

7

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html


Logging and monitoring

Depending upon the above roles, you can select managed policies to provide appropriate permissions.

• AmazonCodeGuruReviewerFullAccess

• AmazonCodeGuruReviewerReadOnlyAccess

• AmazonCodeGuruReviewerServiceRolePolicy

You can granularly control the permissions by using tags within the policy. For more information, seeUsing tags to control access.

Once the previously mentioned profiles are created in the form of IAM users, groups, and roles, users canauthenticate to AWS using their assigned identity credentials. For more information, see Authenticatingwith identities in CodeGuru Reviewer.

Logging and monitoringLogging CodeGuru Reviewer API calls with AWSCloudTrailAmazon CodeGuru Reviewer is integrated with AWS CloudTrail, a service that provides a record of actionstaken by a user, role, or an AWS service in CodeGuru Reviewer. CloudTrail captures API calls for CodeGuruReviewer as events. The calls captured include calls from the CodeGuru Reviewer console, the CodeGuruReviewer AWS CLI, and code calls to the CodeGuru Reviewer API operations.

If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket,including events for CodeGuru Reviewer. If you do not configure a trail, you can still view the most recentevents in the CloudTrail console in Event history. Using the information collected by CloudTrail, you canidentify the request made to CodeGuru Reviewer, the IP address from which the request was made, whomade the request, when it was made, and other additional details.

CodeGuru Reviewer supports logging the API actions as events in CloudTrail log files. Every event orlog entry contains information about who generated the request. This identity information helps youdetermine the following:

• If the request was made with root or AWS Identity and Access Management (IAM) user credentials.

• If the request was made with temporary security credentials for a role or federated user.

• If the request was made by another AWS service.

Monitoring CodeGuru Reviewer with AmazonCloudWatchYou can use Amazon CloudWatch to monitor the number of recommendations created for your sourcecode in an associated repository over time. The recommendations are available for three dimensions:

• ProviderType: View the number of recommendations for a provider type. You can view the count ofrecommendations in all repositories over a period of time through AWS CodeCommit, your Bitbucketaccount, your GitHub account, or your GitHub Enterprise Server account.

• CodeReviewType: View the number of recommendations per each pull request for a specific codereview type such as PullRequest and Repository analysis.

• RepositoryName: View the count of recommendations for one repository over a period of time.

8

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/auth-and-access-control-iam-identity-based-access-control.html#managed-full-access

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/auth-and-access-control-iam-identity-based-access-control.html#managed-read-only-access

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/auth-and-access-control-iam-identity-based-access-control.html#managed-policy-for-codecommit-and-codestar-connections

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/auth-and-access-control-using-tags.html

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/security_iam_authentication.html

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/security_iam_authentication.html

http://aws.amazon.com/cloudtrail/

https://docs.aws.amazon.com/codeguru/latest/reviewer-api/API_Operations.html

http://aws.amazon.com/cloudwatch/


Amazon CodeGuru Reviewer repository support

Metric Description

RecommendationsPublishedCount The number of recommendations over a period oftime per ProviderType, CodeReviewType, orRepositoryName for completed code reviews.

Units: Count

Valid CloudWatch statistic: Count

Valid CloudWatch period: 1 hour

Amazon CodeGuru Reviewer repository supportAmazon CodeGuru Reviewer currently supports the following git-based repositories: AWS CodeCommit,GitHub, GitHub Enterprise Cloud, GitHub Enterprise Server, and Bitbucket.

For AWS CodeCommit, Amazon CodeGuru Reviewer will use the IAM Role with the policyAmazonCodeGuruReviewerServiceRolePolicy to gain access to the repository and permissionsto write comments. This policy has limited permissions and grants permission to related resourcesin CodeCommit, AWS CodeStar connections, and CloudWatch that are required to create repositoryassociations.

Example of the IAM role policy:

AmazonCodeGuruReviewerServiceRolePolicy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessCodeGuruReviewerEnabledRepositories", "Effect": "Allow", "Action": [ "codecommit:GetRepository", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetDifferences", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:PostCommentForPullRequest", "codecommit:GitPull", "codecommit:UntagResource" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/codeguru-reviewer": "enabled" } } }, { "Sid": "AccessCodeGuruReviewerEnabledConnections", "Effect": "Allow", "Action": [ "codestar-connections:UseConnection" ], "Resource": "*",

9


Amazon CodeGuru Reviewer repository support

"Condition": { "ForAllValues:StringEquals": { "codestar-connections:ProviderAction": [ "ListBranches", "GetBranch", "ListRepositories", "ListOwners", "ListPullRequests", "GetPullRequest", "ListPullRequestComments", "ListPullRequestCommits", "ListCommitFiles", "ListBranchCommits", "CreatePullRequestDiffComment", "GitPull" ] }, "Null": { "aws:ResourceTag/codeguru-reviewer ;": "false" } } }, { "Sid": "CloudWatchEventsResourceCleanup", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } } ]}

For association with GitHub, GitHub Enterprise Cloud, GitHub Enterprise Server or, Bitbucket basedrepositories, Amazon CodeGuru Reviewer leverages AWS CodeStar Connections to create secure OAuthconnection to those services.

10


The Shared Responsibility Model

Amazon CodeGuru repository association with OnPrem GitHub Enterprise server repository

AWS CodeStar Connections is a new feature that allows services such as AWS CodePipeline and AmazonCodeGuru to access third-party git-based source code providers. This feature allows you to use that sameconnection across different AWS Regions. For more information about provided permissions, see APIReference in the AWS CodeStar Connection developer guide.

The Shared Responsibility ModelSecurity and Compliance is a shared responsibility between AWS and the customer. This sharedresponsibility model can help relieve your operational burden as AWS operates, manages, and controlsthe components from the host operating system and virtualization layer, down to the physical securityof the facilities in which the service operates. You assume responsibility and management of the guestoperating system (including updates and security patches) and other associated application software, aswell as the configuration of the AWS-provided security group firewall.

For Amazon CodeGuru, AWS manages the underlying infrastructure and foundation services, theoperating system, and the application platform. You are responsible for the security of your code, thestorage and accessibility of sensitive data, and identity and access management (IAM permissions) to theCodeGuru Reviewer.

We strongly recommend that you never put sensitive identifying information, such as your customers'account numbers, etc.), into free-form fields requesting a name (eg. Code review name). This includeswhen you work with Amazon CodeGuru Profiler, Reviewer, or other AWS services using the console, API,AWS CLI, or AWS SDKs. Any data that you enter into Amazon CodeGuru Reviewer or other AWS serviceshas the potential to get picked up for inclusion in diagnostic logs. When you provide a URL to an externalserver, do not include credential information in the URL to validate your request to that server.

We strongly recommend that you take precautions to avoid adding any sensitive information (e.g.AWS credentials) to the public repositories. Though Amazon CodeGuru offers the capability to conductsecurity analysis on an on-demand basis (when triggered by the customer) on the public repositories (e.g.GitHub, Bitbucket), there are risks associated with publishing sensitive information on public sites, suchas sharing AWS access keys inadvertently. As customers are responsible for managing their data, theyassume responsibility for these risks.

11

https://docs.aws.amazon.com/codestar-connections/latest/APIReference/Welcome.html

https://docs.aws.amazon.com/codestar-connections/latest/APIReference/Welcome.html

http://aws.amazon.com/compliance/shared-responsibility-model/

http://aws.amazon.com/codeguru/


The Shared Responsibility Model

With respect to identity and access management (IAM), it is the customer’s responsibility to ensure leastprivilege except where elevated permissions are necessary. Customers should ensure that permissionssuch as obtaining data related to code reviews, updating lists of principals allowed for action groups, andadditional actions possible via console, API, AWS CLI, or AWS SDKs are granted only as needed. For moreinformation, see Amazon CodeGuru Reviewer Actions.

Where applicable:

• Use multi-factor authentication (MFA) with each account.• Use Transport Layer Security (TLS) to communicate with AWS resources.• Set up API and user activity logging with AWS CloudTrail.• Use AWS encryption solutions, and all default security controls in AWS services.

The following shows the shared responsibility model for Amazon CodeGuru service. AWS responsibilitiesappear in orange and customer responsibilities appear in blue. For example, customer data includessource code, and identity and access management includes the ability to access Amazon CodeGuru, andthe underlying AWS infrastructure.

Shared Responsibility Model for Amazon CodeGuru

12

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncodegurureviewer.html


ContributorsContributors to this document include:

• Gautam Srinivasan, Sr. Solutions Architect, Amazon Web Services• Kien Pham, Solutions Architect Amazon Web Services• Cedric Snell, Solutions Architect, Amazon Web Services• Nikunj Vaidya, DevOps Solutions Architect, Amazon Web Services• Adnan Bilwani, Sr. Specialist Builder Experience, Amazon Web Services• Vishnu Parmar, Principal PM CodeGuru, Amazon Web Services• Abhinav Darbari, Software Development Manager CodeGuru, Amazon Web Services

13


Further readingFor additional information, see:

• Amazon CodeGuru FAQs• Data Privacy FAQ• AWS Architecture Center

Amazon CodeGuru Reviewer:

• Reviewer Security• Data retention and encryption• IAM in Amazon CodeGuru Reviewer• Compliance validation• VPC Endpoints• Infrastructure security• What is ACM PCA• Signature Version 4 Signing Process

14

http://aws.amazon.com/codeguru/faqs/

http://aws.amazon.com/compliance/data-privacy-faq/

http://aws.amazon.com/architecture/

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/security.html

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/data-protection.html

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/auth-and-access-control.html

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/codeguru-reviewer-compliance.html

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/vpc-interface-endpoints.html

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/infrastructure-security.html

https://docs.aws.amazon.com/acm-pca/latest/userguide/

https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html


Document historyTo be notified about updates to this whitepaper, subscribe to the RSS feed.

update-history-change update-history-description update-history-date

Initial publication (p. 15) Whitepaper first published. August 3, 2021

NoteTo subscribe to RSS updates, you must have an RSS plug-in enabled for the browser that you areusing.

15


NoticesCustomers are responsible for making their own independent assessment of the information in thisdocument. This document: (a) is for informational purposes only, (b) represents current AWS productofferings and practices, which are subject to change without notice, and (c) does not create anycommitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or servicesare provided “as is” without warranties, representations, or conditions of any kind, whether express orimplied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements,and this document is not part of, nor does it modify, any agreement between AWS and its customers.

© 2021 Amazon Web Services, Inc. or its affiliates. All rights reserved.

16


Amazon CodeGuru Reviewer Terminology

Appendix A: Document glossary

Amazon CodeGuru Reviewer TerminologyCode Repository: A source code repository that can be hosted with various repository providers.Examples of some popular code repository providers: GitHub, CodeCommit, and BitBucket.

Pull request: Represents the changed artifacts that a developer has made to a repository branchand wants to share with other developers and services for various purposes - code review, merge,recommendations. This is the same concept as a Git Pull Request.

Inference: Represents the process of running your application code against the CodeGururecommendation engine to generate recommendations.

Rules: A human-curated and defined set of rules that can provide recommendations on a coderepository.

Amazon CodeGuru Profiler TerminologyProfiling Group: A group of applications for which data is meant to be aggregated and analyzedtogether. You can create a profiling group using your own application or the demo application.

Profiling Agent: Collects runtime data from your applications. Data that the agent collects is analyzedto provide flame graphs and hourly reports with recommendations for how you can optimize yourapplications. You can either start the agent as a Java virtual machine (JVM) agent, or start it manuallywith a code change in your application.

Related Services TerminologyContinuous Delivery: The capabilities provided by AWS CodeCommit, AWS CodePipeline, AWSCodeBuild, AWS CodeDeploy, and AWS CodeStar provide a set of capabilities that you can nativelycombine into a CI/CD pipeline.

AWS CodeCommit: A fully-managed source control service that hosts Git based repositories. It enablesyou to create a branching strategy that meets AWS recommendations (including fine-grained accesscontrol) and integrate with AWS CodePipeline to trigger a new pipeline execution when a new commitoccurs in your release branch.

AWS CodeBuild: Can be used for the build state of your pipeline. Use it to build your code, execute unittests, and create a new software package. It is a fully managed continuous integration service.

AWS CodeDeploy: A fully managed deployment service that automates software deployments to avariety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and on your on-premisesservers.

AWS CodePipeline: A fully managed continuous delivery service where you define the steps in yourpipeline. Typically, an AWS CodePipeline pipeline begins where your source code changes arrive. Then,you execute a build phase, execute tests against your new build, and perform a deployment and releaseof your build into the live environment. AWS CodePipeline provides native integration options for eachof these phases with other AWS services.

17

https://docs.aws.amazon.com/codeguru/latest/profiler-ug/getting-started.html


Related Services Terminology

AWS CodeStar: A unified user interface for creating your application that helps you follow best practicesfrom the beginning. When you create a new project in AWS CodeStar, you automatically begin witha fully implemented and integrated continuous delivery toolchain (using AWS CodeCommit, AWSCodePipeline, and AWS CodeBuild services mentioned earlier). A place where you can manage aspectsof the SDLC for your project, including team member management, issue tracking, development,deployment, and operations.

18


AWS glossaryFor the latest AWS terminology, see the AWS glossary in the AWS General Reference.

19

https://docs.aws.amazon.com/general/latest/gr/glos-chap.html

security overview of amazon codeguru reviewer

Documents