Guided Walkthroughs

Configuration Packages

Custom Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

CodeX Security Controls

A collection of AWS Security controls for AWS CodeCommit, CodeBuild, and CodePipeline. Controls include templates to create CodeCommit repositories, CodePipeline pipelines, and CodeBuild Projects, as well as AWS Config rules for monitoring compliance, IAM policies, and CloudWatch Alarms. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

CodeCommit

Configuration for creating a CodeCommit repository for privately storing and managing assets (such as documents, source code, and binary files) in AWS.

CloudFormationTerraformAWS CLI
CodeBuild

Configuration template to create an AWS CodeBuild project with customizable settings for the projects name, description, service role, environment details, and more.

CloudFormationTerraformAWS CLI
CodePipeline

Configuration for creating a CodePipeline pipeline to orchestrate the steps required to release your software in AWS. The configuration template includes options to build with other AWS Code services such as CodeBuild and CodeCommit.

CloudFormationTerraformAWS CLI
Config Rule

A config rule that checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials.

CloudFormationTerraformAWS CLI

A config rule that checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password. The rule is COMPLIANT with the usage of OAuth to grant authorization for accessing GitHub or Bitbucket repositories.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the first deployment stage of the AWS Codepipeline performs more than one deployment. Optionally checks if each of the subsequent remaining stages deploy to more than the specified number of deployments (deploymentLimit).

CloudFormationTerraformAWS CLI

A Config rule that checks if each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number. The first deployment stage can deploy to a maximum of one region and the second deployment stage can deploy to a maximum number specified in the regionFanoutFactor. If you do not provide a regionFanoutFactor, by default the value is three. For example: If 1st deployment stage deploys to one region and 2nd deployment stage deploys to three regions, 3rd deployment stage can deploy to 12 regions, that is, sum of previous stages multiplied by the region fanout (three) number. The rule is NON_COMPLIANT if the deployment is in more than one region in 1st stage or three regions in 2nd stage or 12 regions in 3rd stage.

CloudFormationTerraformAWS CLI

A Config rule that checks if an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is NON_COMPLIANT if ‘encryptionDisabled’ is set to ‘true’ for any primary or secondary (if present) artifact configurations.

CloudFormationTerraformAWS CLI

A Config rule that checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is NON_COMPLIANT if 'logsConfig' is not present or the status of all present log configurations is set to 'DISABLED'.

CloudFormationTerraformAWS CLI

A Config rule that checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if ‘encryptionDisabled’ is set to ‘true’ in a S3LogsConfig of a CodeBuild project.

CloudFormationTerraformAWS CLI
IAM Policy

An IAM policy that allows Read access to a specific CodeCommit repository. This policy also provides the permissions necessary to complete this action programmatically and in the console.

CloudFormationTerraformAWS CLI

An IAM policy that allows a user to use Git to pull from, and push to, a specific AWS CodeCommit repository.

CloudFormationTerraformAWS CLI

An IAM policy that denies a user the ability to change or push changes to a specific branch in a specific AWS CodeCommit repository.

CloudFormationTerraformAWS CLI

An IAM policy that allows a user to create build projects using only the specified AWS CodeBuild service role.

CloudFormationTerraformAWS CLI

An IAM policy that allows a user to delete build projects.

CloudFormationTerraformAWS CLI

An IAM policy that allows a user to change information about build projects using only the specified AWS CodeBuild service role.

CloudFormationTerraformAWS CLI

An IAM policy that grants permissions to approve or reject manual approval actions in a specific pipeline.

CloudFormationTerraformAWS CLI

An IAM policy that grants permissions to disable and enable transitions between all stages in a specific pipeline.

CloudFormationTerraformAWS CLI
Filter by source
 
CodeCommit
CodeBuild
CodePipeline
Config Rule
IAM Policy