Cargando...
Cargando...
Fully managed, private Git repositories — no servers to provision, no software to install
AWS CodeCommit is a fully managed source control service that hosts secure, private Git repositories in the AWS cloud. It eliminates the need to operate your own source control system or worry about scaling infrastructure, and integrates natively with other AWS Developer Tools services like CodePipeline, CodeBuild, and CodeDeploy. CodeCommit supports standard Git commands and workflows, enabling teams to collaborate on code with fine-grained IAM-based access control, encryption at rest and in transit, and no repository size limits.
Host private Git repositories on AWS with native IAM integration, eliminating self-managed source control infrastructure while enabling seamless CI/CD pipeline triggers
Use When
Avoid When
Full Git compatibility (HTTPS and SSH)
Works with any Git client; supports standard git clone, push, pull, branch, merge workflows
IAM-based access control
Fine-grained permissions at repository, branch, and action level using IAM policies — no separate user management system
Encryption at rest
Repositories are automatically encrypted using AWS KMS (AWS managed key by default; customer managed keys supported)
Encryption in transit
All data transferred over HTTPS or SSH is encrypted
Pull requests and code reviews
Supports pull requests with comments, approvals, and approval rule templates
Approval rule templates
Define approval requirements (e.g., minimum approvers) that auto-apply to repositories across your account
Repository triggers (SNS / Lambda)
Up to 10 triggers per repository for push events, branch creation/deletion
Amazon EventBridge integration
Richer event routing than native triggers; can fan out to multiple targets beyond the 10-trigger limit
AWS CloudTrail integration
All API calls logged for auditing and compliance
Cross-account access
Use IAM roles with cross-account trust policies; no separate credential system needed
VPC support (private connectivity)
Access via VPC endpoints (AWS PrivateLink) — traffic does not traverse the public internet
Git LFS (Large File Storage)
CodeCommit does NOT support Git LFS — use S3 for large binary files
Built-in CI/CD execution
CodeCommit only stores code; CI/CD requires CodePipeline + CodeBuild + CodeDeploy
Issue tracking / project boards
No native issue tracking — use Jira, GitHub Issues, or AWS Management Console workarounds
Source Stage Trigger
high freqCodeCommit acts as the Source stage in a CodePipeline pipeline. A push to a monitored branch automatically triggers the pipeline execution. This is the most common CodeCommit integration pattern tested on exams — it replaces polling with event-driven execution via EventBridge.
Automated Build on Push
high freqCodeCommit triggers CodeBuild directly via CodePipeline or EventBridge rules. CodeBuild fetches source from CodeCommit, runs the buildspec.yml, and produces artifacts. Exams test that CodeBuild needs IAM permissions to clone from CodeCommit.
Full Native CI/CD Pipeline
high freqCodeCommit (source) → CodeBuild (build/test) → CodeDeploy (deploy) orchestrated by CodePipeline. This four-service combination (the 'AWS Developer Tools' suite) is the canonical AWS-native CI/CD answer on all associate and professional exams.
Artifact Storage Separation
high freqCodeCommit stores source code (Git objects); CodeBuild outputs build artifacts to S3. Exams frequently test that S3 is NOT a replacement for CodeCommit — S3 versioning ≠ Git version control. S3 stores artifacts; CodeCommit stores source.
Event-Driven Code Review Automation
medium freqRepository triggers or EventBridge rules invoke Lambda functions on push events (e.g., to enforce commit message standards, notify Slack, or run security scans). Lambda is invoked asynchronously by the trigger.
Private Repository Access via PrivateLink
medium freqConfigure a VPC Interface Endpoint for CodeCommit so EC2 instances, ECS tasks, or Lambda functions access repositories without traversing the public internet. Required for high-security or compliance architectures.
Browser-Based Git Operations
medium freqAWS CloudShell provides a browser-based shell pre-authenticated with the current IAM principal, allowing git clone/push/pull to CodeCommit without configuring local credentials. Useful for quick administrative tasks.
Push Notification on Repository Events
medium freqRepository triggers can publish to SNS topics on branch push, tag creation, or deletion events. SNS then fans out to email, SMS, SQS, or Lambda subscribers for team notifications.
CodeCommit IS a fully managed Git service — it supports all standard Git operations (clone, push, pull, branch, merge, rebase). Any question asking for a 'managed private Git repository on AWS' has CodeCommit as the correct answer.
S3 versioning is NOT equivalent to Git version control. S3 cannot provide branching, merging, pull requests, commit history, or diff views. If a question involves source code management or version control workflows, CodeCommit is correct — not S3.
Authentication to CodeCommit uses IAM — specifically Git credentials (HTTPS username/password generated in IAM), SSH keys uploaded to IAM user profiles, or AWS CLI credential helper (for roles/temporary credentials). There is NO CodeCommit-specific user directory.
The four AWS Developer Tools services and their roles: CodeCommit (store source) → CodeBuild (compile/test) → CodeDeploy (deploy to compute) → CodePipeline (orchestrate). Memorize this pipeline order — exam questions frequently test which service performs which function.
S3 versioning ≠ Git version control. Only CodeCommit provides true Git repository management with branches, commits, merges, and pull requests. Any exam question about 'source code version control on AWS' = CodeCommit.
Memorize the four Developer Tools roles: CodeCommit=Store, CodeBuild=Build, CodeDeploy=Deploy, CodePipeline=Orchestrate. Exam questions test whether you can assign the right service to the right function in a CI/CD pipeline.
CodeCommit authentication is 100% IAM-based — Git HTTPS credentials, SSH keys, or credential helper for roles. There is no separate CodeCommit user management system. Cross-account access uses IAM role assumption.
CodeCommit triggers have a hard limit of 10 per repository and support only SNS and Lambda targets. If you need more than 10 event targets or want to route to services like SQS, Step Functions, or EventBridge Pipes, use Amazon EventBridge (CloudWatch Events) rules instead.
For cross-account CodeCommit access, use IAM roles with cross-account trust — NOT IAM users in the owning account with shared credentials. The accessing account's IAM principal assumes a role in the repository account.
CodeCommit does NOT support Git LFS (Large File Storage). If a scenario involves large binary files (videos, ML model weights, game assets) in a Git workflow, the correct answer is to store binaries in S3 and reference them, not to use CodeCommit directly.
CodeCommit is a REGIONAL service. Repositories are created in a specific AWS Region and data does not automatically replicate across regions. For multi-region DR, you must implement cross-region replication manually (e.g., using Lambda + git mirror or CodePipeline).
When CodePipeline uses CodeCommit as a source, it uses Amazon EventBridge (not polling by default for new pipelines) to detect changes and trigger pipeline execution. Older pipelines may use periodic polling — this distinction matters for latency and cost optimization questions.
Approval rule templates in CodeCommit let you define pull request approval requirements (minimum number of approvers, specific IAM principals) that automatically apply to all pull requests in associated repositories — useful for enforcing code review policies at scale.
Common Mistake
Amazon S3 with versioning enabled can replace AWS CodeCommit for source code management
Correct
S3 versioning only tracks object versions — it has no concept of branches, commits, diffs, merges, pull requests, or collaborative Git workflows. CodeCommit is a full Git implementation; S3 is object storage with version history.
This is the #1 trap on exams. Questions describe 'storing code with version history' and list S3 as an option. Remember: S3 = artifact/object storage; CodeCommit = source control. They serve completely different purposes in a CI/CD pipeline.
Common Mistake
Any AWS service that 'handles code' (like CodeBuild or CodeDeploy) can also manage repositories
Correct
CodeBuild BUILDS code (compiles, tests, packages). CodeDeploy DEPLOYS code to compute resources. Only CodeCommit STORES and MANAGES source code in Git repositories. Each service has one primary responsibility.
Exam questions test whether you can distinguish the four Developer Tools services. Use the mnemonic: Commit=Store, Build=Compile, Deploy=Release, Pipeline=Orchestrate.
Common Mistake
CodeCommit requires you to create separate usernames and passwords in a CodeCommit-specific console
Correct
CodeCommit uses IAM for all authentication. You either generate Git HTTPS credentials in the IAM console (under Security Credentials), upload SSH public keys to your IAM user profile, or use the AWS credential helper for temporary role-based credentials.
Candidates who use GitHub/GitLab expect a separate user management UI. On exams, any answer suggesting CodeCommit has its own user directory is wrong. IAM IS the user directory for CodeCommit.
Common Mistake
CodeCommit can replace GitHub/GitLab entirely including issue tracking, project management, and third-party CI integrations
Correct
CodeCommit provides only Git repository functionality with AWS-native integrations. It lacks built-in issue tracking, project boards, marketplace integrations, and the rich ecosystem of GitHub Actions or GitLab CI. It excels at AWS-native CI/CD, not as a full DevOps platform.
Exam questions test when to use CodeCommit vs. third-party SCM. If the scenario requires AWS-native integration, compliance, or IAM control, choose CodeCommit. If it requires a rich DevOps ecosystem, GitHub/GitLab are valid — and CodePipeline supports them as sources too.
Common Mistake
CodeCommit triggers and Amazon EventBridge notifications for CodeCommit are the same thing
Correct
CodeCommit native triggers are configured directly in the repository settings, support only SNS and Lambda targets, and are limited to 10 per repository. EventBridge rules listen to CodeCommit state change events and can route to dozens of AWS targets with filtering, transformation, and no hard limit.
Exam questions about exceeding the trigger limit or routing to non-SNS/Lambda targets require EventBridge as the answer. If you see '10 triggers is not enough' or 'need to route to SQS/Step Functions,' EventBridge is correct.
Common Mistake
CodeCommit repositories have a maximum size limit similar to S3 object limits (5 TB)
Correct
CodeCommit does not impose a maximum repository size limit. There is no documented ceiling on total repository storage. The 6 MB limit applies only to individual files uploaded via the AWS console/API — not to standard git push operations.
Candidates conflate S3's 5 TB per-object limit with CodeCommit. This matters when evaluating whether CodeCommit can handle large monorepos. The correct answer is that repository size is not a constraint.
The AWS Developer Tools Pipeline: 'Can Bears Deploy Production?' → Commit (store) → Build (compile) → Deploy (release) → Pipeline (orchestrate)
CodeCommit Auth = IAM Only: 'I Always Manage credentials in IAM' — no separate CodeCommit user system exists
Triggers vs EventBridge: 'Ten Triggers Top out, EventBridge Expands' — when you need more than 10 targets or non-SNS/Lambda destinations, use EventBridge
S3 ≠ Git: 'S3 Stores Stuff, CodeCommit Controls Code' — versioning ≠ version control
CertAI Tutor · DVA-C02, SAA-C03, DEA-C01, CLF-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns