Development Shack Technology Understood

Amazon CodeDeploy Security Checklist  

Amazon CodeDeploy is an awesome service, but getting it configured correctly can be a bit tricky.

First let me say, that CodeDeploy ONLY works in us-east or us-west regions. Everything below assumes us-east.

Step #1 - Create a IAM Policy

The policy below does 2 things:

  1. It allows a role to access the Amazon S3 buckets (codedeploy so you can install the CodeDeploy agent).
  2. Is allows a role to manage a few things with EC2 instances. This is required by the CodeDeploy services.

Here is an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::aws-codedeploy-us-east-1/*"
            ]
        },
        {
            "Action": [
                "autoscaling:PutLifecycleHook",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:RecordLifecycleActionHeartbeat",
                "autoscaling:CompleteLifecycleAction",
                "autoscaling:DescribeAutoscalingGroups",
                "autoscaling:PutInstanceInStandby",
                "autoscaling:PutInstanceInService",
                "ec2:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

You can use GitHub or Amazon S3 to deploy your applications from.

If you want to use Amazon S3, you will need to add permissions to the policy above. Include your S3 bucket into the "Resource" along with the codedeploy-us-east-1 bucket.

Step #2 - Create an IAM Role

The role needs to have the IAM Policy attached to it. You will find that in the Amazon EC2 sub-section.

Next, you need to "entrust" Amazon's CodeDeploy servers to "assume" this role. Click "Edit Trust Relationship" while viewing your IAM Role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "codedeploy.us-east-1.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Step #3 - Create an EC2 Instance

This needs to be associated with the IAM Role you created.

It also must be running in us-east or us-west to function correctly.

You have to install the CodeDeploy Agent if you just use an Amazon Linux AMI:

sudo yum -y install aws-cli
aws configure
aws s3 cp s3://aws-codedeploy-us-east-1/latest/install . --region us-east
chmod +x install
sudo ./install auto

I have found that after installing the CodeDeploy Agent, I had to restart the server before my deployments started to work.

Step #4 - Allow access to your S3 Bucket

Access to the files is a two-way street in Amazon S3.

One way is for the IAM Role to access the bucket (connecting out).

The other way is for the bucket to allow access for a IAM Role to it (allowing incoming connections).

Add or edit your S3 bucket policy to include permissions like this:

{
  "Statement": [
    {
      "Action": ["s3:Get*", "s3:List*"],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::CodeDeployDemoBucket/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::80398EXAMPLE:role/CodeDeployDemo"
        ]
      }
    }
  ]
}

Step #5 - Create a deployment package

A deployment package can be a zip. Make sure to include an appspec.yml to manage the deployment process!

It should look something like this:

version: 0.0
os: linux
files:
  - source: /
    destination: /var/www/html/

Step #6 - Create a CodeDeploy Application

The Service Role ARN should be the IAM Role ARN. Not the Instance Profile ARN.

If it can't "assume this role" then you missed the last part of step #2.

The deployment group filters your ec2 instances by tags. I just filtered by name to include just the one instance.

Step #7 - Create a deployment

Finally! Select the application, deployment group, Amazon S3, enter the S3 file path to your ZIP file, and click Deploy!