Rule: CodeBuild GitHub or Bitbucket Source Repository URLs Should Use OAuth
Ensure the usage of OAuth for GitHub or Bitbucket source repository URLs in CodeBuild.
| Rule | CodeBuild GitHub or Bitbucket source repository URLs should use OAuth |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Critical |
Rule Description:
This rule enforces the use of OAuth for CodeBuild repositories connected to GitHub or Bitbucket. By utilizing OAuth (OAuth 2.0), you can establish a secure connection between CodeBuild and the source code repositories. OAuth eliminates the need to store long-lived credentials and reduces the risk of unauthorized access to your source code.
Troubleshooting Steps:
Step 1: Verify the repository type Confirm that the CodeBuild source repository is either a GitHub or Bitbucket repository.
Step 2: Check if OAuth is configured Ensure that OAuth is enabled and properly configured for the respective repository platform (GitHub or Bitbucket).
Step 3: Review CodeBuild settings Make sure that the CodeBuild project has the correct source repository URL specified and that it is using OAuth for authentication.
Step 4: Validate OAuth tokens Check if the OAuth tokens used for authentication are valid and have not expired. Generate new tokens if necessary.
Step 5: Check repository permissions Confirm that the OAuth tokens being used have sufficient permissions to access the repository and its contents.
Necessary Codes:
There are no specific codes to be provided for this rule. However, you may need to use AWS CLI commands to configure OAuth for CodeBuild repositories.
Step-by-Step Guide for Remediation:
Follow these steps to ensure that your CodeBuild GitHub or Bitbucket repositories use OAuth:
OAuth Configuration for GitHub:
- 1.
Generate an OAuth token on GitHub:
- Go to your GitHub account settings.
- Navigate to "Developer Settings" and select "Personal access tokens."
- Click "Generate new token" and provide a description.
- Grant the necessary permissions to the token, such as repository access.
- 2.
Connect the repository to CodeBuild:
- Open the AWS Management Console and go to the CodeBuild service.
- Select your project and click "Edit" to modify the source settings.
- Enter the repository's URL using the HTTPS format.
- Check the "Use GitHub OAuth" option.
- Paste the generated OAuth token in the "GitHub Token" field.
- 3.
Save the changes and trigger a build:
- Click "Save" to update the project settings.
- Trigger a new build to verify if the OAuth authentication is successful.
OAuth Configuration for Bitbucket:
- 1.
Generate an OAuth consumer on Bitbucket:
- Go to your Bitbucket account settings.
- Navigate to "Workspace settings" and select "OAuth consumers."
- Click "Add consumer" and provide the necessary details.
- Grant the appropriate permissions to the consumer, such as repository access.
- 2.
Connect the repository to CodeBuild:
- Open the AWS Management Console and go to the CodeBuild service.
- Select your project and click "Edit" to modify the source settings.
- Enter the repository's URL using the HTTPS format.
- Check the "Use Bitbucket OAuth" option.
- Enter the consumer key and consumer secret generated in the previous step.
- 3.
Save the changes and trigger a build:
- Click "Save" to update the project settings.
- Trigger a new build to verify if the OAuth authentication is successful.
By following these steps, you will ensure that your CodeBuild repositories connected to GitHub or Bitbucket use OAuth for secure authentication and access control.