repo are encrypted at rest using kms automatically
encrypted in transit (ssh or https)
cross account access:
use iam role in your aws account and use aws sts (with assumerole api)
not share ssh
not share aws credentials
you can trigger notification in codecommit using sns, lambda or cloudwatch event rules.
basiclly any notification related to pull request (inlcude comments), goes to cloudwatch event rules. otherwise goes to sns / aws lambda. cloudwath event rules can also goes into sns topic.
sns / lambda:
deletion of branches
push to master
notify external build system
trigger aws lambda function to perform codebase analysis (maybe credentials got committed in the code?)
cloudwatch event rules:
trigger for pull request (created/updated/deleted/commented)
enable s3 and cloudwatch logs integration - aws codebuild monitors functions on your behalf and reports metrics through amazon cloudwatch. these metrics include the number of total builds, failed builds, successful builds, and the duration of builds. you can monitor your builds at two levels: project level, aws account level. you can export log data from your log groups to an amazon s3 bucket and use this data in custom processing and analysis, or to load onto other systems. incorrect options: use cloudwatch events - you can integrate cloudwatch events with codebuild. however, we are looking at storing and running queries on logs, so cloudwatch logs with s3 integration makes sense for this context.
deployment groups: goups to tagged intances (prod/dev/test) you can specify one or more deployment groups for a codedeploy application. the deployment group contains settings and configurations used during the deployment. most deployment group settings depend on the compute platform used by your application. some settings, such as rollbacks, triggers, and alarms can be configured for deployment groups for any compute platform. in an ec2/on-premises deployment, a deployment group is a set of individual instances targeted for deployment. a deployment group contains individually tagged instances, amazon ec2 instances in amazon ec2 auto scaling groups, or both.
amazon ecr users require permission to call ecr:getauthorizationtoken before they can authenticate to a registry and push or pull any images from any amazon ecr repository. amazon ecr provides several managed policies to control user access at varying levels