More Info:

This rule examines the Bitbucket source repository URL configured for an AWS CodeBuild project and checks for the presence of sign-in credentials. Storing sign-in credentials within the repository URL poses a security risk as it can potentially expose sensitive information. It is recommended to use SSH keys or OAuth tokens for authentication with Bitbucket repositories instead of embedding credentials in URLs.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Remediation

Using Console

To remediate the issue of sign-in credentials being stored in a Bitbucket source repository URL in AWS CodeBuild, follow these steps using the AWS Management Console:

  1. Access AWS CodeBuild Console:

    • Log in to your AWS Management Console.
    • Go to the AWS CodeBuild console by navigating to the “Services” menu and selecting “CodeBuild” under the Developer Tools section.

  2. Select the Project:

    • In the CodeBuild console, select the project where the Bitbucket source repository URL is configured with sign-in credentials.

  3. Edit Source Settings:

    • In the project details page, click on the “Edit” button next to the source section where the Bitbucket repository is configured.

  4. Update Repository URL:

    • In the source settings, locate the field where the Bitbucket repository URL is configured.
    • Remove the sign-in credentials from the repository URL. Instead of including credentials in the URL, consider using SSH keys or OAuth tokens for authentication.

  5. Configure Authentication:

    • If you were using sign-in credentials in the URL for authentication, set up a secure method for authentication like SSH keys or OAuth tokens.
    • For SSH keys, you can generate a new SSH key pair and add the public key to your Bitbucket account.
    • For OAuth tokens, create a personal access token in Bitbucket with the necessary permissions and use it for authentication.

  6. Save Changes:

    • After updating the repository URL and authentication method, save the changes in the CodeBuild project settings.

  7. Test the Build:

    • Trigger a new build in the CodeBuild project to ensure that the source code is fetched without any issues after the remediation.

By following these steps, you can remediate the issue of storing sign-in credentials in the Bitbucket source repository URL in AWS CodeBuild and ensure secure and best practices for handling source code authentication.

Using CLI

To remediate the issue of sign-in credentials being in the Bitbucket source repository URL in AWS CodeBuild, you can follow these steps using AWS CLI:

  1. Create a Bitbucket App Password: Instead of using your Bitbucket account password in the repository URL, create an App Password specifically for CodeBuild. This will allow CodeBuild to access the repository without exposing your actual account password.

  2. Update CodeBuild Project Source: Update the CodeBuild project source settings to use the App Password instead of your account password.

  3. Update CodeBuild Project using AWS CLI:

    • Use the update-project command to update the source settings of your CodeBuild project. You will need to specify the project name and the new source settings with the App Password.
    aws codebuild update-project --name YOUR_PROJECT_NAME --source-auth BITBUCKET --source-auth-access-token YOUR_APP_PASSWORD

  4. Remove Credentials from Bitbucket Source URL: Make sure to remove any sign-in credentials from the Bitbucket source repository URL in your CodeBuild project settings.

By following these steps, you have remediated the issue of sign-in credentials being in the Bitbucket source repository URL in AWS CodeBuild and improved the security of your AWS environment.

Using Python

To remediate the issue of sign-in credentials being in the Bitbucket source repository URL in AWS CodeBuild, you can follow these steps using Python:

  1. Store Credentials Securely: Do not store any sensitive information such as sign-in credentials in your source code or repository. Instead, you can use AWS Secrets Manager to securely store and retrieve credentials.

  2. Update CodeBuild Environment Variables: In your CodeBuild project settings, update the environment variables to securely pass the credentials to your build process. You can use the AWS SDK for Python (Boto3) to update the environment variables.

import boto3

client = boto3.client('codebuild')

response = client.update_project(
    name='your-codebuild-project-name',
    environment={
        'environmentVariables': [
            {
                'name': 'BITBUCKET_USERNAME',
                'value': 'your-username',
                'type': 'PLAINTEXT'
            },
            {
                'name': 'BITBUCKET_PASSWORD',
                'value': 'your-password',
                'type': 'PLAINTEXT'
            }
        ]
    }
)

  1. Use IAM Roles: Instead of using hardcoded credentials, configure an IAM role with the necessary permissions for your CodeBuild project to access Bitbucket repositories. Attach this IAM role to your CodeBuild project.

  2. Implement CodeBuild Source Credentials: You can use Source Credential Override in CodeBuild to securely store and retrieve Bitbucket credentials. You can set this up in the CodeBuild project settings or via the AWS CLI.

import boto3

client = boto3.client('codebuild')

response = client.update_project(
    name='your-codebuild-project-name',
    source={
        'type': 'BITBUCKET',
        'location': 'your-bitbucket-repository-url',
        'auth': {
            'type': 'OAUTH',
            'resource': 'your-oauth-token'
        }
    }
)
  1. Monitor and Rotate Credentials: Regularly monitor and rotate your credentials stored in AWS Secrets Manager or IAM roles to enhance security and compliance.

By following these steps and best practices, you can remediate the issue of sign-in credentials being in the Bitbucket source repository URL in AWS CodeBuild securely and effectively.