CodeBuild project using GitHub uses an allowed GitHub organization
codebuild_project_uses_allowed_github_organizations
CodeBuild projects sourcing from GitHub/GitHub Enterprise with a service role that trusts CodeBuild are evaluated by deriving the repository's organization from its URL and comparing it to an allowed organizations list.
Risk
Using repos from untrusted GitHub orgs can let external workflows assume the project role and obtain AWS credentials.
- Confidentiality: data/secrets exfiltration
- Integrity: unauthorized changes
- Availability: build abuse or service disruption
prowler aws --checks codebuild_project_uses_allowed_github_organizations
Recommendation
Limit sources to approved GitHub organizations via an explicit allowlist. Enforce least privilege on the CodeBuild service role and avoid admin rights. Apply separation of duties for allowlist changes and add defense in depth (branch protections, reviews, monitoring) to prevent workflow abuse.
Remediation
aws codebuild update-project --name <example_resource_name> --source type=GITHUB,location=https://github.com/<ALLOWED_GITHUB_ORG>/<REPO>
- Open the AWS Console and go to CodeBuild > Build projects
- Select the project and click Edit
- In Source, set Repository URL to https://github.com/<ALLOWED_GITHUB_ORG>/<REPO>
- Click Update to save
Source Code
Resource Type
AwsCodeBuildProject
References
- https://medium.com/@adan.alvarez/gaining-long-term-aws-access-with-codebuild-and-github-873324638784
- https://paul-hands-phd.medium.com/using-aws-codebuild-to-set-up-github-continuous-integration-19b92efbd094
- https://docs.aws.amazon.com/codebuild/latest/userguide/connections-github-app.html
- https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html