Skip to main content

πŸ›‘οΈ AWS CodeBuild Project Bitbucket Source Location URL contains credentials🟒

  • Contextual name: πŸ›‘οΈ Project Bitbucket Source Location URL contains credentials🟒
  • ID: /ce/ca/aws/codebuild/project-bitbucket-source-url-contains-creds
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-cc74149f1

Description​

Open File

Description​

This policy checks that AWS CodeBuild projects that use Bitbucket as a source repository do not embed credentials within the repository URL.

Rationale​

Storing credentials directly in repository URLs is a critical security risk. These credentials can be inadvertently captured in build logs, command line history, or intercepted in transit, leading to unauthorized access to the source code repository. The recommended and more secure method for granting CodeBuild access to Bitbucket repositories is using OAuth.

Audit​

This policy marks an AWS CodeBuild Project as INCOMPLIANT if the project's Source Type is set to BITBUCKET and the Source Location URL has an @ character embedded credentials in the URL.

Projects with any other Source Type are flagged as INAPPLICABLE.

Remediation​

Open File

Remediation​

From Console​

To eliminate embedded credentials and configure OAuth authentication for your AWS CodeBuild Project:

  1. Locate and select the build project that currently references credentials in its source URL.
  2. Edit Source Configuration Under Source, choose Disconnect from Bitbucket to remove the existing basic‑auth or Personal Access Token linkage.
  3. Click Connect using OAuth. Select Connect to Bitbucket. When prompted, grant the required OAuth permissions to allow CodeBuild secure, token‑based access.
  4. Enter or confirm your repository URL (omit any embedded credentials).
  5. Adjust any additional source‑configuration parameters (e.g., build – spec path, webhook triggers).
  6. Click Update source to apply the new OAuth‑based authentication and complete remediation.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access55no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles21no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-3 System Development Life Cycle34no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.14no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.614no data