Rule: CodeBuild GitHub or Bitbucket Source Repository URLs Should Use OAuth
This rule ensures that CodeBuild projects use OAuth for GitHub or Bitbucket source repository URLs.
| Rule | CodeBuild GitHub or Bitbucket source repository URLs should use OAuth |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Critical |
Rule Description
The rule requires that CodeBuild GitHub or Bitbucket source repository URLs should use OAuth for NIST Cybersecurity Framework (CSF) v1 compliance. This means that the integration between CodeBuild and the repository should be authenticated using OAuth instead of other methods like username/password authentication.
Rationale
Using OAuth for repository authentication provides an additional layer of security by eliminating the need to store and manage sensitive credentials. It allows users to securely access the repository without sharing their username and password with external services like CodeBuild. This helps in adhering to the NIST Cybersecurity Framework guidelines and protects against potential credential leakage or unauthorized access.
Troubleshooting Steps
If there are issues with OAuth integration between CodeBuild and the source repository, follow these troubleshooting steps:
- 1.
Check OAuth permissions: Ensure that the appropriate OAuth permissions are granted to CodeBuild for accessing the repository. Verify that CodeBuild has necessary read and write access to perform required tasks.
- 2.
Review OAuth application settings: Verify the OAuth application settings on the repository provider (e.g., GitHub or Bitbucket). Ensure that the application is properly configured to interact with CodeBuild. Review the scopes and permissions assigned to the OAuth application.
- 3.
Verify OAuth token configuration: Check the OAuth token configuration in CodeBuild. Ensure that the correct OAuth token is provided for repository authentication. If the token is expired or invalid, generate a new token with the required permissions and update it in CodeBuild.
- 4.
Test OAuth integration: Test the OAuth integration by triggering a build in CodeBuild. Monitor the integration process for any errors or issues. Check the build logs and error messages for any indications of OAuth authentication problems.
- 5.
Contact support: If the troubleshooting steps do not resolve the OAuth integration issue, consider reaching out to the repository provider's support team for further assistance. Provide them with relevant details about the issue and steps taken so far to aid in troubleshooting.
Necessary Code (if applicable)
Depending on the repository provider and the integration method, the following code snippets demonstrate how to configure OAuth authentication for CodeBuild's GitHub and Bitbucket integrations.
GitHub OAuth Configuration
- 1.
Generate a GitHub personal access token with
scope permissions.repo - 2.
In the AWS Management Console, navigate to CodeBuild.
- 3.
Edit the CodeBuild project configuration.
- 4.
Under Source, select "GitHub" as the source provider.
- 5.
Choose "Connect using OAuth" and provide the GitHub personal access token.
- 6.
Configure the remaining options for the project and save the changes.
Bitbucket OAuth Configuration
- 1.
Create an OAuth consumer in Bitbucket for CodeBuild.
- 2.
In the AWS Management Console, navigate to CodeBuild.
- 3.
Edit the CodeBuild project configuration.
- 4.
Under Source, select "Bitbucket" as the source provider.
- 5.
Choose "Connect using OAuth" and provide the necessary OAuth consumer details, including consumer key and consumer secret.
- 6.
Configure the remaining options for the project and save the changes.
Remediation Steps
To ensure that CodeBuild GitHub or Bitbucket source repository URLs use OAuth, follow these steps:
- 1.
Open the AWS Management Console and navigate to CodeBuild.
- 2.
Identify the CodeBuild project that needs to be remediated.
- 3.
Edit the project's configuration.
- 4.
Under Source, select either "GitHub" or "Bitbucket" as the source provider, based on the repository type.
- 5.
Choose the "Connect using OAuth" option for authentication.
- 6.
Follow the necessary steps based on the selected provider (GitHub or Bitbucket) to generate and configure the OAuth token or consumer.
- 7.
Save the changes to update the project configuration.
- 8.
Trigger a build to ensure that the OAuth integration is successful.
Conclusion
By configuring CodeBuild GitHub or Bitbucket source repository URLs to use OAuth, you adhere to NIST Cybersecurity Framework guidelines and improve the security of repository integration. Regularly monitor and verify the OAuth configuration to ensure ongoing compliance and protection against unauthorized access.