Security Overview of Amazon CodeGuru Reviewer
Transcript of Security Overview of Amazon CodeGuru Reviewer
Notices
Customers are responsible for making their own independent assessment of the
information in this document. This document: (a) is for informational purposes only, (b)
represents current AWS product offerings and practices, which are subject to change
without notice, and (c) does not create any commitments or assurances from AWS and
its affiliates, suppliers or licensors. AWS products or services are provided “as is”
without warranties, representations, or conditions of any kind, whether express or
implied. The responsibilities and liabilities of AWS to its customers are controlled by
AWS agreements, and this document is not part of, nor does it modify, any agreement
between AWS and its customers.
© 2021 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Contents
Introduction .......................................................................................................................... 1
Security for Amazon CodeGuru Reviewer .......................................................................... 2
Workflows ......................................................................................................................... 2
Data retention and protection .......................................................................................... 6
Data encryption ................................................................................................................ 6
VPC endpoints (AWS PrivateLink) .................................................................................. 7
Infrastructure Security ...................................................................................................... 7
Amazon S3 bucket protection in the Security and CI workflow ...................................... 8
IAM Roles and permissions: ............................................................................................ 8
Logging and Monitoring ................................................................................................... 9
Amazon CodeGuru Reviewer Repository Support ....................................................... 10
The Shared Responsibility Model .................................................................................. 13
Contributors ....................................................................................................................... 15
Further Reading ................................................................................................................. 15
Document Revisions.......................................................................................................... 16
Appendix A: Glossary of Terms ........................................................................................ 16
Amazon CodeGuru Reviewer Terminology ................................................................... 16
Amazon CodeGuru Profiler Terminology ...................................................................... 17
Related Services Terminology ....................................................................................... 17
Abstract
This whitepaper provides a security overview of Amazon CodeGuru and how it
safeguards customer’s data, manages data retention, and how intelligent
recommendations are generated and published. This paper also provides guidance on
securely using Amazon CodeGuru Reviewer in your environment.
The intended audience for this whitepaper is Chief Information Security Officers
(CISOs), information security groups, security analysts, enterprise architects,
compliance teams, developers, and anyone interested in understanding the security
design principles of the Amazon CodeGuru service.
Page 1
Introduction
Amazon CodeGuru is a developer tool that provides intelligent recommendations to help
improve your code quality and identify an application’s most expensive lines of code.
Human code reviewers can be expensive, hard to scale, and may miss potential bugs
introduced with new software code.
Amazon CodeGuru is made up of two components to provide recommendations:
Reviewer which runs automated code reviews and carries out static code analysis, and
Profiler which evaluates dynamic application performance at runtime. Provided
recommendations are generated using machine learning (ML) models that have been
trained from millions of code-reviews and tens of thousands of application profiles
conducted within Amazon and open-source projects.
Amazon CodeGuru Overview
Amazon CodeGuru Reviewer is a valuable software development tool. However, it is a
complement to human code reviewers and is not designed to be a replacement. Human
code reviews traditionally focus on business logic, while Amazon CodeGuru evaluates
functional correctness of software code and can provide recommendations to reduce
software code defects.
You can associate CodeGuru Reviewer with a repository to allow CodeGuru Reviewer
to provide recommendations by automatically analyzing pull requests and running
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
2
checks on the code in your branch. Enabling CodeGuru Reviewer will help improve
code quality and agility across your teams.
In this whitepaper, we will focus on the various functionalities integrated into CodeGuru
Reviewer service that provide security to the code-review operations and assist with
protecting customer data. We also highlight best practices for securely using the
service and gain an insight into the operations carried out within the service.
Security for Amazon CodeGuru Reviewer
Amazon CodeGuru Reviewer can be invoked by multiple different workflows.
Workflows
Below is a review of the actions carried out within the CodeGuru service for each
workflow and the security considerations. Table 1 summarizes the details of each
workflow.
• Pull Request workflow: Once the repository is associated with CodeGuru, using
either the dashboard, AWS CLI, or AWS APIs, a developer creates a pull-request
to invoke CodeGuru Reviewer to scan the added or modified code and provide
recommendations.
• Repository Analysis workflow: This workflow is invoked by using the
CodeGuru Reviewer, AWS CLI, or AWS SDK APIs, and carries out code quality
analysis on the full repository.
• Security analysis workflow: This workflow is invoked from the CodeGuru
Reviewer dashboard and carries out a security and code quality analysis. This
workflow allows CodeGuru Reviewer to create an Amazon Simple Storage
Service (Amazon S3) bucket where the source code and build artifact will be
stored for analysis. The S3 bucket contains the minimum AWS Identity and
Access Management (IAM) permissions required for CodeGuru Reviewer to
perform a code and security review.
• CI integrated workflow: This workflow is invoked from within the integrated CI
workflow, and carries out a security and code quality analysis. This workflow
creates an S3 bucket (if one does not already exist). The S3 bucket contains the
minimum IAM permissions required for CodeGuru Reviewer to perform a code
and security review.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
3
Table 1- Details of invoked workflows
Workflow
name
Code
Review
Type
Operational
triggers
Code staging
before code
analysis
Language
support
Pull-request
workflow
Code
Quality
Analysis
Pull Request Associated
Repository
Java, Python
Repository
analysis
workflow
Code
Quality
Analysis
Repository
analysis
Associated
Repository
Java, Python
Security
analysis
workflow
Security +
Code
Quality
Analysis
Repository
analysis
S3 bucket Java
CI integrated
workflow
Security
Analysis
CI trigger
definition
S3 bucket Java
Pull Request workflow and Repository Analysis workflow
In a standard pull-request (PR) workflow, a developer will start by associating a code
repository such as GitHub or AWS CodeCommit with Amazon CodeGuru.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
4
Amazon CodeGuru Reviewer pull-request workflow
Once the repository is associated, CodeGuru is automatically subscribed to pull-request
notifications from the repository. When a developer creates a pull-request, a notification
is sent to the CodeGuru Reviewer Service. CodeGuru executes a git clone and securely
pulls the customer code into an ephemeral AWS ECS Fargate container instance. This
instance is dedicated to the request and has single tenancy per ephemeral container.
CodeGuru Reviewer uses this instance to run analysis and inference in a sandboxed
environment. The sandboxed environment offers VM level isolation between its tasks.
Since the container runs in an access restricted Amazon Virtual Private Cloud (Amazon
VPC), the customer code is protected from external access (i.e., SSH or SCP) sessions.
Once the code analysis is completed, the recommendations are generated and
published on the repository, initiating the pull request as comments. The
recommendations are then stored on CodeGuru service’s code-reviews history.
Subsequently, regardless of whether the analysis completes successfully or fails, the
code on these containers is deleted by the service and the containers are removed.
The same process is followed for full repository package scan workflow.
Security analysis workflow and CI integrated workflow
This workflow is from the CodeGuru dashboard console or from within an integrated CI
workflow.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
5
Amazon CodeGuru Reviewer integrated CI workflow
In this workflow, you create an S3 bucket which must include a specific
prefix codeguru-reviewer- with a secure bucket policy for CodeGuru
Reviewer analysis. This bucket will be used to upload a copy of your
software source code and build artifact. This S3 bucket is created once per
Region for CodeGuru Reviewer service and is utilized for subsequent
security code-review requests.
CodeGuru copies the contents to the internal ephemeral artifact storage that
is not exposed to the user. This artifact storage layer consists of an S3
bucket used to store code and artifacts (different from the above user-facing
S3 bucket created) and DynamoDB tables used to store metadata
information about the code review request in the CodeGuru Reviewer
service account. An ephemeral AWS ECS Fargate container instance is
also instantiated and dedicated to the request and has single tenancy per
ephemeral container. CodeGuru Reviewer uses this instance to run analysis
and inference in a sandboxed environment. The sandboxed environment
offers VM level isolation between its tasks. Since the container runs in an
access restricted VPC, the customer code is protected from any external
access, eg. SSH or SCP sessions. Once the code analysis is completed,
the recommendations are generated and published to the user. Using an S3
lifecycle policy to expire objects, Amazon CodeGuru Reviewer removes the
customer code, which is stored and encrypted, from its internal ephemeral
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
6
artifact storage within three calendar days. The user-facing S3 bucket is not
deleted at the end of the code review.
Data retention and protection
For each of the workflows discussed, code will be fetched to generate
recommendations using a pre-trained SageMaker model.
The recommendation text is generated by the model and encrypted using
service owned Customer Managed Keys (CMK). These service owned
CMKs are a collection of CMKs that an AWS service owns and manages for
use in multiple AWS accounts. For each recommendation, metadata is
stored only with information such as line number, start and end line of the
recommendation, file path, and repository name. The Reviewer
Sagemaker models are pre-trained and do not learn from customer code
reviews. Amazon CodeGuru Reviewer will purge the recommendation text
after 90 days.
Amazon CodeGuru Reviewer stores the following items to create code reviews:
• Repository metadata (e.g. the name and owner of a repository)
• Recommendations generated by CodeGuru Reviewer
• Pull request metadata (e.g. the author and branch of a pull request)
• Feedback submitted by customers about code reviews
Amazon CodeGuru Reviewer maintains a history of code-reviews by storing the line
number, a link to code, and metadata for 90 days.
Amazon CodeGuru stores the recommendations (encrypted with KMS service key) that
are generated from repository analysis or security analysis, for 90 days. After 90 days,
both the recommendations and pull requests jobs metadata will be purged from the
service.
Once you have disassociated a code repository from Amazon CodeGuru, it no longer
has access to events generated by source code repository (webhook).
Data encryption
Both data at rest and data in transit are encrypted by default in Amazon CodeGuru
Reviewer.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
7
• Encryption of data at rest: Data collected by CodeGuru Reviewer is stored
using Amazon S3 and Amazon DynamoDB, that are not exposed to the user. As
explained previously, the data is encrypted using their native data-at-rest
encryption capabilities.
• Encryption of data in transit: Communication between customers and
CodeGuru Reviewer and between CodeGuru Reviewer and its downstream
dependencies is protected using TLS connections that are signed using the
Signature Version 4 signing process. All CodeGuru Reviewer endpoints use
SHA-256 certificates that are managed by AWS Certificate Manager Private
Certificate Authority.
VPC endpoints (AWS PrivateLink)
You can use VPC endpoints when you call Amazon CodeGuru Reviewer APIs. When
you use VPC endpoints, your API calls are more secure because they are contained
within your VPC and do not traverse across the public internet. We recommend using
VPC endpoints as a security best practice to protect the API calls, especially when
programmatically accessing the service.
You can establish a private connection between your VPC and CodeGuru Reviewer by
creating an interface VPC endpoint. Interface endpoints are powered by AWS
PrivateLink, a technology that enables you to privately access CodeGuru Reviewer
APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect
connection. Instances in your VPC do not need public IP addresses to communicate
with CodeGuru Reviewer APIs. Traffic between your VPC and CodeGuru Reviewer
does not leave the Amazon network.
Each interface endpoint is represented by one or more Elastic Network Interfaces in
your subnets.
CodeGuru Reviewer supports making calls to all of its API’s from your VPC. VPC
endpoints are supported but VPC endpoint policies are not supported for CodeGuru
Reviewer. By default, full access to CodeGuru Reviewer is allowed through the
endpoint.
Infrastructure Security
You can use AWS published API calls to access CodeGuru Reviewer through the
network; however, clients must support Transport Layer Security (TLS) 1.0 or later (we
recommend TLS 1.2 or later). Clients must also support cipher suites with perfect
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
8
forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve
Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later
support these modes.
Requests must be signed by using an access key ID and a secret access
key that is associated with an IAM principal. Or you can use the AWS
Security Token Service (AWS STS) to generate temporary security
credentials to sign requests.
Amazon S3 bucket protection in the Security and CI
workflow
When code reviews are conducted using the security analysis workflow or CI integrated
workflow in Table 1, it creates a new S3 bucket in your account for that Region so the
CodeGuru service can conduct the code review. This S3 bucket is used to store the
source code and build artifacts as .zip files, and is retained in this region for subsequent
code-reviews dedicated to CodeGuru Reviewer. The S3 bucket contains the minimum
IAM permissions required for CodeGuru Reviewer to perform the code security analysis.
CodeGuru Reviewer requires only one S3 bucket to store the source code and build
artifacts to conduct the code reviews for each of its workflows. However, you can create
new repositories, or prefixes, in the S3 bucket for subsequent code reviews. Typically, a
new repository is created for a different application.
We recommend that you don’t change the assigned permissions for the S3 bucket and
maintain minimum permissions for carrying out the expected tasks.
IAM Roles and permissions:
CodeGuru Reviewer may be used by any of the following user personas:
1. Developer (Service user): This user regularly uses CodeGuru Reviewer service to conduct code reviews.
2. CodeGuru Administrator (Service administrator): The administrator determines which CodeGuru Reviewer features and resources employees should access, and provides the appropriate permissions to their IAM roles.
3. IAM Administrator: A security authority that delegates necessary permissions to various service administrators.
Depending upon the above roles, you can select managed policies to provide
appropriate permissions.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
9
• AmazonCodeGuruReviewerFullAccess
• AmazonCodeGuruReviewerReadOnlyAccess
• AmazonCodeGuruReviewerServiceRolePolicy
You can granularly control the permissions by using tags within the policy. For more
information, see Using tags to control access.
Once the previously mentioned profiles are created in the form of IAM users, groups,
and roles, users can authenticate to AWS using their assigned identity credentials. For
more information, see Authenticating with identities in CodeGuru Reviewer.
Logging and Monitoring
Logging CodeGuru Reviewer API calls with AWS CloudTrail
Amazon CodeGuru Reviewer is integrated with AWS CloudTrail, a service that provides
a record of actions taken by a user, role, or an AWS service in CodeGuru Reviewer.
CloudTrail captures API calls for CodeGuru Reviewer as events. The calls captured
include calls from the CodeGuru Reviewer console, the CodeGuru Reviewer AWS CLI,
and code calls to the CodeGuru Reviewer API operations.
If you create a trail, you can enable continuous delivery of CloudTrail events to an
Amazon S3 bucket, including events for CodeGuru Reviewer. If you do not configure a
trail, you can still view the most recent events in the CloudTrail console in Event history.
Using the information collected by CloudTrail, you can identify the request made to
CodeGuru Reviewer, the IP address from which the request was made, who made the
request, when it was made, and other additional details.
CodeGuru Reviewer supports logging the API actions as events in CloudTrail log files.
Every event or log entry contains information about who generated the request. This
identity information helps you determine the following:
• If the request was made with root or AWS Identity and Access Management (IAM) user credentials.
• If the request was made with temporary security credentials for a role or federated user.
• If the request was made by another AWS service.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
10
Monitoring CodeGuru Reviewer with Amazon CloudWatch
You can use Amazon CloudWatch to monitor the number of recommendations created
for your source code in an associated repository over time. The recommendations are
available for three dimensions:
• ProviderType: View the number of recommendations for a provider type. You
can view the count of recommendations in all repositories over a period of time
through AWS CodeCommit, your Bitbucket account, your GitHub account, or
your GitHub Enterprise Server account.
• CodeReviewType: View the number of recommendations per each pull request
for a specific code review type such as PullRequest and Repository analysis.
• RepositoryName: View the count of recommendations for one repository over a
period of time.
Metric Description
RecommendationsPublishedCount The number of
recommendations over a period
of time per ProviderType,
CodeReviewType, or
RepositoryName for completed
code reviews.
Units: Count
Valid CloudWatch statistic:
Count
Valid CloudWatch period: 1 hour
Amazon CodeGuru Reviewer Repository Support
Amazon CodeGuru Reviewer currently supports the following git-based repositories:
AWS CodeCommit, GitHub, GitHub Enterprise Cloud, GitHub Enterprise Server, and
Bitbucket.
For AWS CodeCommit, Amazon CodeGuru Reviewer will use the IAM Role
with the policy AmazonCodeGuruReviewerServiceRolePolicy to gain
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
11
access to the repository and permissions to write comments. This policy has
limited permissions and grants permission to related resources in
CodeCommit, AWS CodeStar connections, and CloudWatch that are
required to create repository associations.
Example of the IAM role policy:
AmazonCodeGuruReviewerServiceRolePolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessCodeGuruReviewerEnabledRepositories",
"Effect": "Allow",
"Action": [
"codecommit:GetRepository",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetDifferences",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:PostCommentForPullRequest",
"codecommit:GitPull",
"codecommit:UntagResource"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/codeguru-reviewer": "enabled"
}
}
},
{
"Sid": "AccessCodeGuruReviewerEnabledConnections",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"codestar-connections:ProviderAction": [
"ListBranches",
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
12
"GetBranch",
"ListRepositories",
"ListOwners",
"ListPullRequests",
"GetPullRequest",
"ListPullRequestComments",
"ListPullRequestCommits",
"ListCommitFiles",
"ListBranchCommits",
"CreatePullRequestDiffComment",
"GitPull"
]
},
"Null": {
"aws:ResourceTag/codeguru-reviewer ;": "false"
}
}
},
{
"Sid": "CloudWatchEventsResourceCleanup",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-
reviewer.amazonaws.com"
}
}
}
]
}
For association with GitHub, GitHub Enterprise Cloud, GitHub Enterprise
Server or, Bitbucket based repositories, Amazon CodeGuru Reviewer
leverages AWS CodeStar Connections to create secure OAuth connection
to those services.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
13
Amazon CodeGuru repository association with OnPrem GitHub Enterprise server repository
AWS CodeStar Connections is a new feature that allows services such as
AWS CodePipeline and Amazon CodeGuru to access third-party git-based
source code providers. This feature allows you to use that same connection
across different AWS Regions. For more information about provided
permissions, see API Reference in the AWS CodeStar Connection
developer guide.
The Shared Responsibility Model
Security and Compliance is a shared responsibility between AWS and the customer.
This shared responsibility model can help relieve your operational burden as AWS
operates, manages, and controls the components from the host operating system and
virtualization layer, down to the physical security of the facilities in which the service
operates. You assume responsibility and management of the guest operating system
(including updates and security patches) and other associated application software, as
well as the configuration of the AWS-provided security group firewall.
For Amazon CodeGuru, AWS manages the underlying infrastructure and foundation
services, the operating system, and the application platform. You are responsible for the
security of your code, the storage and accessibility of sensitive data, and identity and
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
14
access management (IAM permissions) to the CodeGuru Reviewer.
We strongly recommend that you never put sensitive identifying information, such as
your customers' account numbers, etc.), into free-form fields requesting a name (eg.
Code review name). This includes when you work with Amazon CodeGuru Profiler,
Reviewer, or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any
data that you enter into Amazon CodeGuru Reviewer or other AWS services has the
potential to get picked up for inclusion in diagnostic logs. When you provide a URL to
an external server, do not include credential information in the URL to validate your
request to that server.
We strongly recommend that you take precautions to avoid adding any sensitive
information (e.g. AWS credentials) to the public repositories. Though Amazon
CodeGuru offers the capability to conduct security analysis on an on-demand basis
(when triggered by the customer) on the public repositories (e.g. GitHub, Bitbucket),
there are risks associated with publishing sensitive information on public sites, such as
sharing AWS access keys inadvertently. As customers are responsible for managing
their data, they assume responsibility for these risks.
With respect to identity and access management (IAM), it is the customer’s
responsibility to ensure least privilege except where elevated permissions are
necessary. Customers should ensure that permissions such as obtaining data related to
code reviews, updating lists of principals allowed for action groups, and additional
actions possible via console, API, AWS CLI, or AWS SDKs are granted only as needed.
For more information, see Amazon CodeGuru Reviewer Actions.
Where applicable:
• Use multi-factor authentication (MFA) with each account.
• Use Transport Layer Security (TLS) to communicate with AWS resources.
• Set up API and user activity logging with AWS CloudTrail.
• Use AWS encryption solutions, and all default security controls in AWS services.
The following shows the shared responsibility model for Amazon CodeGuru service.
AWS responsibilities appear in orange and customer responsibilities appear in blue. For
example, customer data includes source code, and identity and access management
includes the ability to access Amazon CodeGuru, and the underlying AWS
infrastructure.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
15
Shared Responsibility Model for Amazon CodeGuru
Contributors
Contributors to this document include:
• Gautam Srinivasan, Sr. Solutions Architect, AWS
• Kien Pham, Solutions Architect AWS
• Cedric Snell, Solutions Architect, AWS
• Nikunj Vaidya, DevOps Solutions Architect, AWS
• Adnan Bilwani, Sr. Specialist Builder Experience, AWS
• Vishnu Parmar, Principal PM CodeGuru, AWS
• Abhinav Darbari, Software Development Manager CodeGuru, AWS
Further Reading
For additional information, see:
• Amazon CodeGuru FAQs
• Data Privacy FAQ
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
16
Amazon CodeGuru Reviewer:
• Reviewer Security
• Data retention and encryption
• IAM in Amazon CodeGuru Reviewer
• Compliance validation
• VPC Endpoints
• Infrastructure security
• What is ACM PCA
• Signature Version 4 Signing Process
Document Revisions
Date Description
August 3, 2021 First publication
Appendix A: Glossary of Terms
Amazon CodeGuru Reviewer Terminology
Code Repository: A source code repository that can be hosted with various repository
providers. Examples of some popular code repository providers: GitHub, CodeCommit,
and BitBucket.
Pull request: Represents the changed artifacts that a developer has made to a
repository branch and wants to share with other developers and services for various
purposes - code review, merge, recommendations. This is the same concept as a Git
Pull Request.
Inference: Represents the process of running your application code against the
CodeGuru recommendation engine to generate recommendations.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
17
Rules: A human-curated and defined set of rules that can provide recommendations on
a code repository.
Amazon CodeGuru Profiler Terminology
Profiling Group: A group of applications for which data is meant to be aggregated and
analyzed together. You can create a profiling group using your own application or the
demo application.
Profiling Agent: Collects runtime data from your applications. Data that the agent
collects is analyzed to provide flame graphs and hourly reports with recommendations
for how you can optimize your applications. You can either start the agent as a Java
virtual machine (JVM) agent, or start it manually with a code change in your application.
Related Services Terminology
Continuous Delivery: The capabilities provided by AWS CodeCommit, AWS
CodePipeline, AWS CodeBuild, AWS CodeDeploy, and AWS CodeStar provide a set of
capabilities that you can natively combine into a CI/CD pipeline.
AWS CodeCommit: A fully-managed source control service that hosts Git based
repositories. It enables you to create a branching strategy that meets AWS
recommendations (including fine-grained access control) and integrate with AWS
CodePipeline to trigger a new pipeline execution when a new commit occurs in your
release branch.
AWS CodeBuild: Can be used for the build state of your pipeline. Use it to build your
code, execute unit tests, and create a new software package. It is a fully managed
continuous integration service.
AWS CodeDeploy: A fully managed deployment service that automates software
deployments to a variety of compute services such as Amazon EC2, AWS Fargate,
AWS Lambda, and on your on-premises servers.
AWS CodePipeline: A fully managed continuous delivery service where you define the
steps in your pipeline. Typically, an AWS CodePipeline pipeline begins where your
source code changes arrive. Then, you execute a build phase, execute tests against
your new build, and perform a deployment and release of your build into the live
environment. AWS CodePipeline provides native integration options for each of these
phases with other AWS services.
Amazon Web Services Security Overview of Amazon CodeGuru Reviewer
18
AWS CodeStar: A unified user interface for creating your application that helps you
follow best practices from the beginning. When you create a new project in AWS
CodeStar, you automatically begin with a fully implemented and integrated continuous
delivery toolchain (using AWS CodeCommit, AWS CodePipeline, and AWS CodeBuild
services mentioned earlier). A place where you can manage aspects of the SDLC for
your project, including team member management, issue tracking, development,
deployment, and operations.