AWS Config Rule: CodeBuild Project OAuth Check

CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK

Fernando Honig

Last Update 7 måneder siden

Description: Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password. The rule is compliant with the usage of OAuth to grant authorization for accessing GitHub or Bitbucket repositories.


Trigger type: Configuration changes


AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Milan), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region


How to Resolve Manually

Best practices dictate that we do not include personal access tokens and/or username and passwords in our source repo url;


Correct:

https://bitbucket.org:repo-name-here/repo.git


Incorrect:

https://access-token-name:[email protected]/repo-name-here/repo.git


We should always connect externally to Bitbucket or using OAuth or with a seperate app password. In Github's case the latter is replaced with a personal access token. They are not to be defined in the project source url as the examples above show.


Below is an example of how we would construct a new CodeBuild Project, complete with the OAuth authentication steps completed as per AWS instructions, before we then define the repository source url. Because we are already connected as shown by our Connection Status, there is no need to input a Personal Access Token or Username/Password into the source url.


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us