This rule ensures that CodeBuild project source repository URLs are configured to use OAuth for GitHub or Bitbucket.
Rule | CodeBuild GitHub or Bitbucket source repository URLs should use OAuth |
Framework | CISA-cyber-essentials |
Severity | ✔ Critical |
CodeBuild GitHub or BitBucket Source Repository URLs Should Use OAuth for CISA-Cyber-Essentials
Overview
Using OAuth with AWS CodeBuild for GitHub or Bitbucket source repository URLs is essential for maintaining security and privacy while adhering to the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials. OAuth tokens provide a secure, efficient way to grant and control access to your repositories without sharing your username and password.
Rule Details
This rule requires that any AWS CodeBuild project that uses a source repository from GitHub or Bitbucket must have OAuth tokens configured. This is a security measure that complies with CISA’s cyber essentials, aiming to safeguard your codebase by using tokens instead of credentials for repository access.
Troubleshooting Steps
Checking OAuth Configuration in CodeBuild
Verifying OAuth Tokens
Remediation Steps
Generating OAuth Token on GitHub
Step 1: Create OAuth Token
repo
, admin:repo_hook
).Step 2: Integrate OAuth Token into AWS CodeBuild
Generating OAuth Token on Bitbucket
Step 1: Create OAuth Consumer
Step 2: Integrate OAuth Consumer into AWS CodeBuild
Necessary CLI Commands
To update a GitHub source provider with OAuth in AWS CodeBuild:
aws codebuild update-project \ --name "project-name" \ --source 'type=GITHUB,location=https://github.com/user/repo.git,authType=OAUTH'
To update a Bitbucket source provider with OAuth in AWS CodeBuild:
aws codebuild update-project \ --name "project-name" \ --source 'type=BITBUCKET,location=https://bitbucket.org/user/repo.git,authType=OAUTH'
Adhering to this guideline not only aligns with CISA-Cyber-Essentials but also enhances the security posture of your CI/CD pipeline. Be sure to apply these configurations consistently across all applicable CodeBuild projects.