Ensure AWS Codecommit branch changes have at least 2 approvals

Error: AWS Codecommit branch changes has less than 2 approvals

Bridgecrew Policy ID: BC_AWS_GENERAL_133
Checkov Check ID: CKV_AWS_257
Severity: LOW

AWS Codecommit branch changes has less than 2 approvals

Description

The best practice for merging new code into a code base is to have at least two reviewers. AWS CodeCommit can enforce this policy.

Fix - Runtime

  1. In the AWS console, go to CodeCommit.
  2. Select Approval Rule Templates and then Create Template.
  3. Under Number of approvals needed, add at least two approvals.

Fix - Buildtime

Terraform

resource "aws_codecommit_approval_rule_template" "example" {
...
  content = <<EOF
{
    "Version": "2018-11-08",
    "DestinationReferences": ["refs/heads/master"],
    "Statements": [{
        "Type": "Approvers",
+        "NumberOfApprovalsNeeded": 2,
        "ApprovalPoolMembers": ["arn:aws:sts::123456789012:assumed-role/CodeCommitReview/*"]
    }]
}
EOF
...
}