In an enterprise where a product is being developed, we find lots of developers on different teams working with different repositories but in the same Git-based VCS.

Here in CodeCommit, if we give a user CodeCommitPowerUser access, then the user will have full control over all the repositories, except the deletion of repositories. So, a Power User will be able to see the source code of all other repositories, that is, there won't be any privacy. This is the kind of permission you should avoid giving another user.

In some companies, they have different use cases, for example, they only require a few of their developers to have access to all Git-based commands and on the specific repository. We dive into how to implement this type of scenario.

To implement this scenario, we use AWS IAM services, where we will create a user and attach it to a CodeCommit custom policy, and that policy will have access to only a specific repository with specific Git commands.

Let's get started with that, and perform the following operations:

1. First of all, let's create a custom policy where we will give the restriction definition.
2. Go to IAM Console and click on the Policies section. Then, click on Create Policy:
   
3. Click on Create Your Own Policy:

4. You will be redirected to another page where you have to fill in the Policy Name, a description of the policy, and a policy document. The policy document will be the definition, where we will mention the resources and actions:

5. Insert the following policy definition (x60xxxxxxx39 will be basically your account ID):

    {
     "Version": "2012-10-17",
     "Statement": [
     {
     "Effect": "Allow",
     "Action": [
     "codecommit:GitPull",
     "codecommit:GitPush"
     ],
     "Resource": "arn:aws:codecommit:us-east-1:x60xxxxxxx39:HelloWorld"
     }
     ]
     }

6. Click on Create Policy; then we will have our own custom policy:
   
7. Now, let's remove the AWSCodeCommitPowerUser access from the IAM user that we created to clone the repository by clicking on x:

8. Click on Add permissions, after that click on Attach Existing Policies Directly and search for Policy name in filter, check that, and save it:

9. We will have a user with only our custom policy, which means the user will only have access to the HelloWorld repository and only two actions, git push and git clone:

    awsstar@awsstar:~$ aws codecommit list-repositories
    An error occurred (AccessDeniedException) when calling the     ListRepositories operation: User:     arn:aws:iam::16xxxxxx139:user/awsccuser is not authorized to perform:     codecommit:ListRepositories

The preceding command output shows AccessDeniedException, that is, awsccuser is not authorized to perform codecommit:ListRepositories. The reason for this is we have given access to only two operations or actions: git push and git clone.