Is there any way to make IAM policy where user should not be allowed to push the code to the branch directly? They should only do it through pull request.
Yes, it is possible to ensure the only way of modifying your branches is through a PullRequest. You can achieve this by either removing the following permissions from your policy or adding an explicit Deny, in case you are using a AWS managed policy:
codecommit:MergeBranchesByFastForward
codecommit:MergeBranchesBySquash
codecommit:MergeBranchesByThreeWay
And making sure you have the permissions to merge a PullRequest:
codecommit:MergePullRequestByFastForward
codecommit:MergePullRequestBySquash
codecommit:MergePullRequestByThreeWay
Here the docs with the permissions for CodeCommit: https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html#aa-pr