Rule: CodeBuild GitHub or Bitbucket Source Repository URLs Should Use OAuth
This rule ensures that CodeBuild projects use OAuth for GitHub or Bitbucket source repository URLs.
| Rule | CodeBuild GitHub or Bitbucket source repository URLs should use OAuth |
| Framework | SOC 2 |
| Severity | ✔ Critical |
CodeBuild GitHub or Bitbucket Source Repository URLs Should Use OAuth
Overview
For AWS CodeBuild projects that use GitHub or Bitbucket as a source repository, it's essential to use OAuth tokens for secure authentication. This is particularly important when aiming to comply with SOC 2 standards. Using OAuth tokens in place of traditional user credentials helps in providing a more secure and controlled way of accessing repositories, ensuring that access is only granted to necessary personnel or services and is auditable for security compliance.
Troubleshooting Steps
If AWS CodeBuild is not using OAuth tokens for GitHub or Bitbucket repositories, you should take the following actions:
Verify OAuth Token Usage
- 1.Go to the AWS Management Console.
- 2.Open the AWS CodeBuild console at https://console.aws.amazon.com/codebuild/.
- 3.Choose
and select the project you want to verify.Build projects - 4.Look for the
section.Source - 5.Under
, check to see if you are using a repository URL that starts withRepository
and if you've connected using an OAuth token.https://
Check IAM Policies
Make sure that the IAM role used by your CodeBuild project has the necessary policies attached to interact with OAuth tokens.
- 1.Go to the AWS IAM Console.
- 2.Look for the IAM role associated with your CodeBuild project.
- 3.Verify that the role has the required permissions to access CodeBuild and associated source repositories with an OAuth token.
Inspect CodeBuild Logs
- 1.In the AWS CodeBuild console, select your build project.
- 2.Go to the
tab and click on the specific build run.Build history - 3.Inspect the logs for errors related to source control access.
Remediation Steps
To remediate this, set up OAuth integration for GitHub or Bitbucket within AWS CodeBuild:
GitHub OAuth Integration
- 1.Log into the AWS Management Console.
- 2.Go to the CodeBuild console and select your build project.
- 3.Click on
and navigate to theEdit
section.Source - 4.Choose
orGitHub
as the source provider.GitHub Enterprise Cloud - 5.Click
to authorize AWS CodeBuild to access your GitHub repositories using OAuth.Connect to GitHub
Bitbucket OAuth Integration
- 1.In the AWS Console, navigate to the CodeBuild service.
- 2.Select your build project, click
, then go to theEdit
section.Source - 3.Set the source provider as
.Bitbucket - 4.Connect with Bitbucket by clicking on
.Connect to Bitbucket
Necessary CLI Commands
To perform these steps using the AWS CLI:
Update CodeBuild Project for GitHub Source
aws codebuild update-project \ --name "project-name" \ --source type=GITHUB,location=oauth-token@github.com/owner/repo-name.git,authType=OAUTH
Replace
project-nameoauth-tokenownerrepo-nameUpdate CodeBuild Project for Bitbucket Source
aws codebuild update-project \ --name "project-name" \ --source type=BITBUCKET,location=oauth-token@bitbucket.org/owner/repo-name.git,authType=OAUTH
Replace
project-nameoauth-tokenownerrepo-nameAfter updating your build projects to use OAuth, monitor your builds to ensure they can successfully access your repositories.
Remember to secure your OAuth tokens and rotate them regularly according to your organization's security policy. This is key to maintaining ongoing SOC 2 compliance and ensuring the continued security of your builds and code repositories.