Skip to main content
emnode / learn
Compliance Critical severity

AWS Security Hub · CodeBuild

CodeBuild.1: A CodeBuild Bitbucket URL contains embedded credentials

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub CodeBuild.1 check?

CodeBuild.1 fails any CodeBuild project — primary source or any secondary source — whose Bitbucket source URL contains a username and password or a personal access token in the userinfo component (the username:password@ that precedes the host).

Why does CodeBuild.1 matter?

That URL is readable by anyone with codebuild:BatchGetProjects or console access, gets copied into CloudFormation templates and Terraform state, and echoes into CloudTrail and build logs. The location field is not a secret store — it has no encryption-at-rest boundary. A leaked repo token is a foothold into every branch and commit history, where the next set of hardcoded secrets usually lives.

How do I fix CodeBuild.1?

  1. Enumerate all projects across accounts and regions and inspect both source.location and every secondarySources[].location for a user:secret@host shape.
  2. Reconnect the source using OAuth in the console — Disconnect from Bitbucket, then Connect using OAuth — so location carries only the repo path.
  3. Revoke the exposed credential at Bitbucket, since copies already exist in IaC, CloudTrail, and build logs.
  4. Enable the AWS Config rule codebuild-project-source-repo-url-check and scope down BatchGetProjects so the standard holds.

Remediation script · bash

# Find active credentials idle past 45 days and disable them (review before deleting).
CUTOFF=$(date -u -d '45 days ago' +%Y-%m-%d)
aws iam generate-credential-report >/dev/null
aws iam get-credential-report --query Content --output text | base64 -d \
  | awk -F, -v c="$CUTOFF" 'NR>1 && $9=="true" && $11<c {print $1, $10}'
aws iam update-access-key --user-name old-contractor \
  --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

# Apply the CIS-aligned IAM password policy in one idempotent call.
aws iam update-account-password-policy --minimum-password-length 14 \
  --require-uppercase-characters --require-lowercase-characters \
  --require-numbers --require-symbols --password-reuse-prevention 24

# A clear-text key in a build project is compromised: rotate and delete, never just relocate.
aws iam delete-access-key --user-name ci-deploy --access-key-id AKIAIOSFODNN7EXAMPLE

Full walkthrough (console steps, edge cases and verification) in the lesson Rotate and remove stale IAM credentials.

Is CodeBuild.1 a false positive?

The control inspects both the primary source and every secondary source — a clean primary URL does not excuse a credential embedded in a secondary source, which still fails the project.

Full lesson Rotate and remove stale IAM credentials Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for CodeBuild controls ↗ Check your own account for CodeBuild.1 →
Part of the learning path Lock down access

More CodeBuild controls

  • CodeBuild.2 CodeBuild env vars contain clear-text credentials
  • CodeBuild.3 CodeBuild S3 logs should be encrypted
  • CodeBuild.4 Projects should have a logging configuration
  • CodeBuild.7 Report group exports should be encrypted at rest