AWS Config Rule: CodeBuild Project OAuth Check
CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
Fernando Honig
Last Update 6 maanden geleden
Description: Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password. The rule is compliant with the usage of OAuth to grant authorization for accessing GitHub or Bitbucket repositories.
Trigger type: Configuration changes
AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Milan), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region
How to Resolve Manually
Best practices dictate that we do not include personal access tokens and/or username and passwords in our source repo url;
Correct:
https://bitbucket.org:repo-name-here/repo.git
Incorrect:
https://access-token-name:[email protected]/repo-name-here/repo.git
We should always connect externally to Bitbucket or using OAuth or with a seperate app password. In Github's case the latter is replaced with a personal access token. They are not to be defined in the project source url as the examples above show.
Below is an example of how we would construct a new CodeBuild Project, complete with the OAuth authentication steps completed as per AWS instructions, before we then define the repository source url. Because we are already connected as shown by our Connection Status, there is no need to input a Personal Access Token or Username/Password into the source url.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here