Profile Applicability:

  • Level 1

Description:

In AWS CodeBuild, projects are linked to source code repositories, which are typically hosted on Amazon CodeCommit, GitHub, or Bitbucket. It's crucial that CodeBuild project source repository URLs do not contain sensitive credentials (such as API keys, passwords, or tokens) to prevent unintentional exposure of secrets. This SOP ensures that CodeBuild project repository URLs are properly configured and do not inadvertently expose sensitive credentials.

Rationale:

  • Security: Exposing credentials within repository URLs can lead to unauthorized access if these credentials are compromised.

  • Compliance: Many compliance frameworks (such as PCI-DSS, HIPAA, SOC 2) require sensitive information to be protected from exposure.

  • Best Practices: Ensuring that repository URLs are properly configured prevents the accidental exposure of sensitive data and helps maintain a secure development pipeline.

Impact:

Pros:

  • Reduced Risk of Credential Exposure: Prevents sensitive credentials from being inadvertently shared or exposed in repository URLs.

  • Security Best Practices: Aligns with security best practices for managing secrets and credentials.

  • Compliance: Helps meet compliance and regulatory requirements for protecting sensitive data.

Cons:

  • Setup Overhead: Configuring AWS CodeBuild projects and repository URLs to avoid sensitive credentials requires review and setup efforts.

  • Increased Complexity: Securing repository access can add a level of complexity, such as requiring IAM roles or access tokens instead of hardcoding credentials in URLs.

Default Value:

By default, AWS CodeBuild may allow repository URLs to contain sensitive information if not configured properly. The CodeBuild project settings must be manually configured to ensure credentials are not exposed.

Pre-requisite:

  • AWS IAM Permissions:

    • codebuild:BatchGetProjects

    • codebuild:ListProjects

    • codebuild:UpdateProject

    • codebuild:CreateProject

    • iam:ListRoles

  • AWS CLI installed and configured.

  • Source Repository Access (GitHub, CodeCommit, etc.).

  • Ensure that your repository access credentials are managed securely via IAM roles or OAuth tokens.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS CodeBuild under Services.

  3. In the CodeBuild Dashboard, select Build projects.

  4. Select a CodeBuild project and review the source repository settings.

    • Verify that the repository URL does not contain any sensitive credentials (e.g., username, password, API keys, or tokens).

    • Ensure the repository URL follows the pattern of using secure access methods such as OAuth tokens or AWS IAM roles.

  5. If the URL contains sensitive information, update the repository settings to use secure credentials management methods.

Using AWS CLI:

  1. To list all CodeBuild projects, run:

    aws codebuild list-projects --query 'projects'

  2. To describe a specific CodeBuild project and inspect its repository settings:

    aws codebuild batch-get-projects --names <project-name> --query 'projects[*].source'

  3. Review the source section for the repository URL. Ensure that sensitive credentials (e.g., API keys, tokens, passwords) are not present.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to AWS CodeBuild.

  2. In the CodeBuild Dashboard, select Build projects and choose the project to review.

  3. Under the Source section, check the repository URL.

    • If it contains sensitive information (like a username and password), update the repository URL.

    • Replace sensitive credentials with secure methods like IAM roles, OAuth tokens, or AWS CodeCommit access controls.

  4. Save the changes and ensure that the CodeBuild project is properly configured with secure repository access.

Using AWS CLI:

  1. To update the repository URL to remove sensitive credentials, run:

    aws codebuild update-project --name <project-name> --source "type=GITHUB,location=https://github.com/username/repo-name"

  2.  Or, for AWS CodeCommit:

    aws codebuild update-project --name <project-name> --source "type=CODECOMMIT,location=https://git-codecommit.<region>.amazonaws.com/v1/repos/<repo-name>"

  3. Ensure that any sensitive credentials (username, password, tokens) are removed from the URL and that secure authentication methods are used (e.g., IAM roles for AWS repositories or OAuth for GitHub).

Backout Plan:

Using AWS Console:

  1. If removing credentials from the repository URL causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS CodeBuild and select the User Pool.

  3. Revert the repository URL to include the credentials if necessary (though this is not recommended).

  4. Save the changes.

Using AWS CLI:

  1. To revert the repository URL to include sensitive credentials, run the following command:

    aws codebuild update-project --name <PROJECT_NAME> --source location="https://username:token@github.com/user/repo" --region <REGION>

  2. Verify that the changes have been reverted by describing the CodeBuild Project again:

    aws codebuild batch-get-projects --names <PROJECT_NAME> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.