Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Configure OAuth for CodeBuild Project Sources

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that CodeBuild GitHub or Bitbucket source repository URLs use OAuth instead of personal access tokens for authorization. To prevent unauthorized access, Amazon CodeBuild integrates with OAuth to provide secure authorization to the GitHub/Bitbucket repositories configured as code sources for CodeBuild build projects.

Security

Securing sign-in credentials is vital when it comes to protecting sensitive information. Under no circumstances should these credentials ever be stored or transmitted in plain, readable text, nor should they be visible in the repository URL. To enhance security, it is recommended to adopt OAuth as the preferred method for granting authorization to access GitHub or Bitbucket repositories. Relying on personal access tokens or sign-in credentials could potentially expose your sensitive data to unintended breaches and unauthorized access, compromising your account's safety.

Audit

To determine if CodeBuild GitHub or Bitbucket source repository URLs use OAuth, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.

  3. In the left navigation panel, under Build - CodeBuild, choose Build projects.

  4. Click on the name (link) of the CodeBuild build project that you want to examine.

  5. Select the Build details tab to access the configuration information available for the selected build project.

  6. Choose Edit from the Source section to access the code source configuration settings available for the selected build project.

  7. Check the Connection status available for each code source where the source provider is Github or Bitbucket. If the Connection status is set to You are connected to GitHub/Bitbucket using a personal access token, the CodeBuild GitHub/Bitbucket source repository URLs use personal access tokens instead of OAuth for authorization.

  8. Repeat steps no. 4 – 7 for each Amazon CodeBuild build project available within your AWS cloud account.

Using AWS CLI

  1. Run list-projects command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon CodeBuild build project created in your AWS cloud account:

    aws codebuild list-projects 
  --region us-east-1 
  --output table 
  --query 'projects'

  2. The command output should return a table with the requested project names:

    --------------------------
|      ListProjects      |
+------------------------+
|  cc-repo-code-project  |
|  cc-webapp-ai-project  |
+------------------------+

  3. Run list-source-credentials command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to examine as the identifier parameter and custom query filters to describe the type of the credentials used for GitHub/Bitbucket authorization, configured for selected build project:

    aws codebuild list-source-credentials 
  --region us-east-1 
  --query 'sourceCredentialsInfos[].authType'

  4. The command output should return the requested source credentials information:

    [
	"PERSONAL_ACCESS_TOKEN"
]

    If the list-source-credentials command output returns "PERSONAL_ACCESS_TOKEN", as shown in the example above, the CodeBuild GitHub/Bitbucket source repository URLs use personal access tokens instead of OAuth for authorization.

  5. Repeat steps no. 3 and 4 for each Amazon CodeBuild build project deployed within your AWS cloud account.

Remediation / Resolution

To ensure that CodeBuild GitHub/Bitbucket source repository URLs use OAuth for authorization, perform the following actions:

OAUTH connections are not currently supported by the AWS CLI and must be created using the Amazon CodeBuild console.

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Store the environment variable with the sensitive value as a parameter in Amazon EC2 Systems Manager Parameter Store or AWS Secrets Manager.

  3. Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.

  4. In the left navigation panel, under Build - CodeBuild, choose Build projects.

  5. Click on the name (link) of the CodeBuild build project that you want to configure.

  6. Select the Build details tab to access the configuration information available for the selected build project.

  7. Choose Edit from the Source section to modify the code source configuration available for the selected build project.

  8. On the Edit Source page, perform the following operations:

    1. Choose the code source that you want to configure and select Disconnect from GitHub/Bitbucket.
    2. Under Repository, select Connect using Oauth, and choose Connect to GitHub/Bitbucket.
    3. For Processing OAuth request, choose Confirm to confirm the authorization to your GitHub/Bitbucket account.
    4. Choose Update source to apply the configuration changes.

  9. Repeat steps no. 5 – 8 for each Amazon CodeBuild build project that you want to configure, available in your AWS cloud account.

References

Publication date Sep 1, 2023

Related CodeBuild rules