Skip to main content

πŸ“ AWS CodeBuild Project Bitbucket Source Location URL contains credentials 🟒

  • Contextual name: πŸ“ Project Bitbucket Source Location URL contains credentials 🟒
  • ID: /ce/ca/aws/codebuild/project-bitbucket-source-url-contains-creds
  • Located in: πŸ“ AWS CodeBuild

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-cc74149f1

Logic​

Description​

Open File

Description​

This policy checks that AWS CodeBuild projects that use Bitbucket as a source repository do not embed credentials within the repository URL.

Rationale​

Storing credentials directly in repository URLs is a critical security risk. These credentials can be inadvertently captured in build logs, command line history, or intercepted in transit, leading to unauthorized access to the source code repository. The recommended and more secure method for granting CodeBuild access to Bitbucket repositories is using OAuth.

Audit​

This policy marks an AWS CodeBuild Project as INCOMPLIANT if the project's Source Type is set to BITBUCKET and the Source Location URL has an @ character embedded credentials in the URL.

Projects with any other Source Type are flagged as INAPPLICABLE.

Remediation​

Open File

Remediation​

From Console​

To eliminate embedded credentials and configure OAuth authentication for your AWS CodeBuild Project:

  1. Locate and select the build project that currently references credentials in its source URL.
  2. Edit Source Configuration Under Source, choose Disconnect from Bitbucket to remove the existing basic‑auth or Personal Access Token linkage.
  3. Click Connect using OAuth. Select Connect to Bitbucket. When prompted, grant the required OAuth permissions to allow CodeBuild secure, token‑based access.
  4. Enter or confirm your repository URL (omit any embedded credentials).
  5. Adjust any additional source‑configuration parameters (e.g., build – spec path, webhook triggers).
  6. Click Update source to apply the new OAuth‑based authentication and complete remediation.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access53
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles21
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-3 System Development Life Cycle34
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.14
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.14
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.614