Ensure AWS CodeBuild Projects Using GitHub Connect Only to Allowed Organizations

Overview

This check verifies that AWS CodeBuild projects sourcing code from GitHub only use repositories from trusted organizations. When CodeBuild pulls code from untrusted GitHub organizations, attackers can exploit GitHub Actions workflows to assume the CodeBuild project's IAM role and obtain AWS credentials.

Risk

Severity: High

Using GitHub repositories from untrusted organizations creates serious security vulnerabilities:

• Credential theft: Attackers can use malicious GitHub Actions workflows to assume CodeBuild IAM roles and steal AWS credentials
• Supply chain attacks: Untrusted code could introduce backdoors or malicious dependencies into your builds
• Data exfiltration: Compromised builds could leak sensitive environment variables, secrets, or build artifacts
• Persistent access: Attackers gaining IAM role access may establish long-term access to your AWS account

Remediation Steps

Prerequisites

• Access to AWS Console with permissions to modify CodeBuild projects
• A list of your organization's approved GitHub organizations

Required IAM permissions

You need these permissions to remediate this finding:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codebuild:BatchGetProjects",
        "codebuild:ListProjects",
        "codebuild:UpdateProject"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the AWS CodeBuild console
2. Click on the project name that failed the check
3. Click Edit at the top of the page, then select Source
4. Under Source provider, verify it shows GitHub
5. Check the Repository URL - it should follow the format: https://github.com/<ORGANIZATION>/<REPOSITORY>
6. If the organization is not on your approved list, update the URL to use an approved organization's repository
7. Click Update source

Important: Before changing the source repository, ensure:

• The replacement repository contains the same or equivalent code
• Any webhook configurations are updated accordingly
• Build badges and status checks are reconfigured if needed

AWS CLI (optional)

List all CodeBuild projects to identify those using GitHub:

aws codebuild list-projects --region us-east-1

Get details about a specific project to check its source:

aws codebuild batch-get-projects \
  --names <your-project-name> \
  --region us-east-1 \
  --query 'projects[*].{Name:name,SourceType:source.type,SourceLocation:source.location}'

Update the project to use a trusted GitHub organization:

aws codebuild update-project \
  --name <your-project-name> \
  --source type=GITHUB,location=https://github.com/<TRUSTED-ORG>/<REPOSITORY> \
  --region us-east-1

Replace:

• <your-project-name> with your CodeBuild project name
• <TRUSTED-ORG> with your approved GitHub organization
• <REPOSITORY> with the repository name

CloudFormation (optional)

Use this CloudFormation template to create a CodeBuild project that sources from a trusted GitHub organization:

AWSTemplateFormatVersion: '2010-09-09'
Description: CodeBuild project with trusted GitHub organization source

Parameters:
  ProjectName:
    Type: String
    Description: Name of the CodeBuild project

  GitHubOrganization:
    Type: String
    Description: Trusted GitHub organization name

  GitHubRepository:
    Type: String
    Description: GitHub repository name

  CodeBuildServiceRoleArn:
    Type: String
    Description: ARN of the IAM role for CodeBuild

Resources:
  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Ref ProjectName
      Description: CodeBuild project using trusted GitHub organization
      ServiceRole: !Ref CodeBuildServiceRoleArn
      Source:
        Type: GITHUB
        Location: !Sub 'https://github.com/${GitHubOrganization}/${GitHubRepository}'
        BuildSpec: buildspec.yml
        ReportBuildStatus: true
      Artifacts:
        Type: NO_ARTIFACTS
      Environment:
        Type: LINUX_CONTAINER
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
      LogsConfig:
        CloudWatchLogs:
          Status: ENABLED

Outputs:
  ProjectArn:
    Description: ARN of the CodeBuild project
    Value: !GetAtt CodeBuildProject.Arn

Deploy the stack:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name trusted-codebuild-project \
  --parameter-overrides \
    ProjectName=my-project \
    GitHubOrganization=my-trusted-org \
    GitHubRepository=my-repo \
    CodeBuildServiceRoleArn=arn:aws:iam::123456789012:role/CodeBuildServiceRole \
  --region us-east-1

Terraform (optional)

Use this Terraform module to create a CodeBuild project with a trusted GitHub source:

variable "project_name" {
  description = "Name of the CodeBuild project"
  type        = string
}

variable "github_organization" {
  description = "Trusted GitHub organization name"
  type        = string
}

variable "github_repository" {
  description = "GitHub repository name"
  type        = string
}

variable "codebuild_role_arn" {
  description = "ARN of the IAM role for CodeBuild"
  type        = string
}

resource "aws_codebuild_project" "trusted_github" {
  name         = var.project_name
  description  = "CodeBuild project using trusted GitHub organization"
  service_role = var.codebuild_role_arn

  source {
    type                = "GITHUB"
    location            = "https://github.com/${var.github_organization}/${var.github_repository}"
    buildspec           = "buildspec.yml"
    report_build_status = true
  }

  artifacts {
    type = "NO_ARTIFACTS"
  }

  environment {
    compute_type                = "BUILD_GENERAL1_SMALL"
    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
    type                        = "LINUX_CONTAINER"
    image_pull_credentials_type = "CODEBUILD"
  }

  logs_config {
    cloudwatch_logs {
      status = "ENABLED"
    }
  }
}

output "project_arn" {
  description = "ARN of the CodeBuild project"
  value       = aws_codebuild_project.trusted_github.arn
}

Example usage:

module "codebuild_project" {
  source = "./modules/codebuild"

  project_name        = "my-application-build"
  github_organization = "my-trusted-org"
  github_repository   = "my-application"
  codebuild_role_arn  = aws_iam_role.codebuild.arn
}

Verification

After making changes, verify the remediation was successful:

1. Return to the CodeBuild project in the AWS Console
2. Check the Source section shows a repository URL with your approved organization
3. Run a test build to confirm the project still functions correctly

CLI verification

# Verify the source configuration
aws codebuild batch-get-projects \
  --names <your-project-name> \
  --region us-east-1 \
  --query 'projects[0].source.location' \
  --output text

The output should show a URL containing your trusted GitHub organization.

Additional Resources

• AWS CodeBuild Source Settings
• GitHub Repository Access for CodeBuild
• CodeBuild Security Best Practices
• Securing CI/CD Pipelines

Notes

• Prowler configuration: This check requires you to configure allowed GitHub organizations in your Prowler configuration file. Without this configuration, all GitHub sources may be flagged.

• GitHub Enterprise: If you use GitHub Enterprise Server, ensure your Enterprise instance's organization is also on the allowed list.

• Service disruption: Changing the source repository will affect future builds. Coordinate changes during maintenance windows and test thoroughly before deploying to production.

• Webhook updates: If the project uses GitHub webhooks to trigger builds, you may need to reconfigure webhooks after changing the source repository.

• IAM role permissions: Review the CodeBuild service role to ensure it follows least-privilege principles, limiting what actions can be taken even if the role is compromised.