Rule: CodeBuild GitHub or Bitbucket Source Repository URLs Should Use OAuth
This rule ensures that CodeBuild project source repository URLs are configured to use OAuth for GitHub or Bitbucket.
| Rule | CodeBuild GitHub or Bitbucket source repository URLs should use OAuth |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
CodeBuild GitHub or BitBucket Source Repository URLs Should Use OAuth for CISA-Cyber-Essentials
Overview
Using OAuth with AWS CodeBuild for GitHub or Bitbucket source repository URLs is essential for maintaining security and privacy while adhering to the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials. OAuth tokens provide a secure, efficient way to grant and control access to your repositories without sharing your username and password.
Rule Details
This rule requires that any AWS CodeBuild project that uses a source repository from GitHub or Bitbucket must have OAuth tokens configured. This is a security measure that complies with CISA’s cyber essentials, aiming to safeguard your codebase by using tokens instead of credentials for repository access.
Troubleshooting Steps
Checking OAuth Configuration in CodeBuild
- 1.Navigate to the AWS CodeBuild console.
- 2.Choose the build project in question.
- 3.Look in the "Source" section for details on the connection.
- 4.Confirm that the connection method specified uses OAuth.
Verifying OAuth Tokens
- 1.Ensure that you have generated an OAuth token within your GitHub or Bitbucket account.
- 2.Confirm that the token has the necessary permissions to access the repositories required by AWS CodeBuild.
Remediation Steps
Generating OAuth Token on GitHub
Step 1: Create OAuth Token
- 1.Go to your GitHub account settings.
- 2.Click on "Developer settings."
- 3.Select "Personal access tokens" then "Generate new token."
- 4.Choose the appropriate scopes (you'll typically need
,repo
).admin:repo_hook - 5.Generate a token and copy it securely.
Step 2: Integrate OAuth Token into AWS CodeBuild
- 1.Open the AWS CodeBuild console.
- 2.Select or create a new build project.
- 3.In the "Source" section, select "GitHub" or "GitHub Enterprise" as the source provider.
- 4.Choose "Connect using OAuth."
- 5.Follow the prompts to authorize AWS CodeBuild using the OAuth token that you’ve created.
Generating OAuth Token on Bitbucket
Step 1: Create OAuth Consumer
- 1.Log into your Bitbucket account.
- 2.Navigate to 'Settings' > 'Access Management' > 'OAuth.'
- 3.Click on "Add consumer."
- 4.Fill in the necessary details and the required permissions.
- 5.Save the consumer to generate a key and secret.
Step 2: Integrate OAuth Consumer into AWS CodeBuild
- 1.Open the AWS CodeBuild console.
- 2.Select or create a new build project.
- 3.In the "Source" section, choose "Bitbucket" as the source provider.
- 4.Select "Connect with OAuth."
- 5.When prompted, enter the key and secret generated in the Bitbucket OAuth consumer process.
Necessary CLI Commands
To update a GitHub source provider with OAuth in AWS CodeBuild:
aws codebuild update-project \ --name "project-name" \ --source 'type=GITHUB,location=https://github.com/user/repo.git,authType=OAUTH'
To update a Bitbucket source provider with OAuth in AWS CodeBuild:
aws codebuild update-project \ --name "project-name" \ --source 'type=BITBUCKET,location=https://bitbucket.org/user/repo.git,authType=OAUTH'
Adhering to this guideline not only aligns with CISA-Cyber-Essentials but also enhances the security posture of your CI/CD pipeline. Be sure to apply these configurations consistently across all applicable CodeBuild projects.