A collection of AWS Security controls for AWS CodeArtifact, AWS CodeDeploy, AWS CodeGuru, AWS CodeStar, AWS CodeCommit, CodeBuild, and CodePipeline. Controls include templates to create CodeCommit repositories, CodePipeline pipelines, and CodeBuild Projects, as well as AWS Config rules for monitoring compliance, IAM policies, and CloudWatch Alarms. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

CodeBuild
CodeBuild Project

Configuration template to create an AWS CodeBuild project with customizable settings for the projects name, description, service role, environment details, and more.

CloudFormationTerraformAWS CLI
CodeBuild Bitbucket Source Credentials using AWS Secrets Manager

This template creates source credentials for a Bitbucket repository using AWS Secrets Manager. It specifies the token, server type, username, and authentication type.

CloudFormationTerraform
CodeBuild Project Example

This template creates an AWS CodeBuild project running Java environment on Linux and source location from S3 bucket `codebuild-demo-test` with the specified file name. The template also includes timeout configuration, tags and description.

CloudFormationTerraform
CodeBuild Project using Amazon S3 and Amazon VPC

This template creates an AWS CodeBuild project that caches build dependencies in Amazon S3 and uses resources in an Amazon VPC. The project is configured with a service role, artifacts, environment, source, timeout, VPC configuration, and cache configuration.

CloudFormationTerraform
CodeBuild Project with Two Filter Groups

This template creates an AWS CodeBuild project with two filter groups. The filter groups specify conditions that trigger a build when evaluated to true. The first filter group triggers a build when a pull request is created or updated on the master branch by a GitHub user that does not have account ID 12345. The second filter group triggers a build when a push request is created on files with names that match the regular expression READ_ME in branches with Git reference names that match the regular expression ^refs/heads/.*.

CloudFormationTerraform
Create GitHub Enterprise source credentials using AWS Secrets Manager

This template creates source credentials for a GitHub Enterprise repository using AWS Secrets Manager. It specifies the token, server type, and authentication type.

CloudFormationTerraform
AWS CodeBuild Project with Local Cache Configuration

This template configures an AWS CodeBuild project with local caching options to optimize build times and performance.

Terraform
AWS CodeBuild Resource Policy for Report Group

Creates a CodeBuild report group and assigns a resource policy to it, allowing specific actions for the AWS root user.

Terraform
AWS CodeBuild and GitHub Enterprise Webhook Integration

Sets up a CodeBuild webhook and a GitHub Enterprise repository webhook to trigger builds on push events.

Terraform
CodePipeline
CodePipeline Pipeline

Configuration for creating a CodePipeline pipeline to orchestrate the steps required to release your software in AWS. The configuration template includes options to build with other AWS Code services such as CodeBuild and CodeCommit.

CloudFormationTerraformAWS CLI
CodePipeline Pipeline with Multiple Stages

This template creates a CodePipeline pipeline that describes how software changes go through a release process. The pipeline has stages for source, beta, and release. The source stage detects changes to an application stored in an S3 bucket and pulls them into the pipeline. The beta stage deploys the changes to EC2 instances using CodeDeploy. The release stage is disabled for inbound transitions, allowing you to control when the changes are ready to be deployed to release. The pipeline also includes an artifact store in an S3 bucket with encryption using a KMS key. Inbound stage transitions are disabled for the release stage with a reason specified. Tags are also added to the pipeline.

CloudFormationTerraform
CodePipeline Webhook Example

This template creates a webhook named MyWebhook and registers it for the pipeline's GitHub source repository. The webhook is configured with authentication using AWS Secrets Manager for the GitHub credentials (It references an existing secret `MyGitHubSecret`). The webhook filters for events with a specific branch. The webhook is associated with the specified pipeline and target action. The webhook also registers with third-party services.

CloudFormationTerraform
CodePipeline with Custom Action Type Resource Configuration

This template creates a custom build action for CodePipeline. It requires users to specify a project name. The custom action type is categorized as 'Build' and the provider is set to 'My-Build-Provider-Name'. The version is specified as 'v1'. The configuration properties include a description, key, name, queryable, required, secret, and type. The input artifact details specify a maximum and minimum count of 1. The output artifact details specify a maximum count of 1 and a minimum count of 0. The settings include entity and execution URL templates. Tags are also included.

CloudFormationTerraform
AWS CodePipeline with CodeBuild and CloudFormation Deployment

This template creates an AWS CodePipeline that includes stages for source control, building the project using AWS CodeBuild, and deploying using AWS CloudFormation.

Terraform
AWS CodePipeline Custom ActionType Example

Creates a custom action type in AWS CodePipeline for build category with specified artifact details.

Terraform
CodeArtifact
CodeArtifact Repository with an Upstream Repository and External Connection

This template creates a CodeArtifact domain named 'my-domain' to store repositories. It also creates two CodeArtifact repositories: 'my-repo' and 'my-upstream-repo' within the domain. 'my-repo' has 'my-upstream-repo' configured as an upstream repository, and 'my-upstream-repo' has an external connection to the public repository, npmjs.

CloudFormationTerraform
CodeArtifact Domain and Repository

This template creates a CodeArtifact domain named 'my-domain' and a CodeArtifact repository named 'my-repo' inside it.

CloudFormationTerraform
CodeArtifact Domain with KMS encryption and an IAM Resource-Based Policy

This template creates a CodeArtifact domain named _my-domain_ with an AWS Key Management Service encryption key and attaches an IAM resource-based policy.

CloudFormationTerraform
CodeArtifact Domain

This template creates a CodeArtifact domain named _my-domain_.

CloudFormationTerraform
CodeArtifact Domain

This template creates a CodeArtifact domain named _my-domain_.

CloudFormationTerraform
CodeArtifact Domain and Repository

This template creates a CodeArtifact domain named 'my-domain' and a CodeArtifact repository named 'my-repo' inside it.

CloudFormationTerraform
CodeArtifact Domain with KMS encryption and an IAM Resource-Based Policy

This template creates a CodeArtifact domain named _my-domain_ with an AWS Key Management Service encryption key and attaches an IAM resource-based policy.

CloudFormationTerraform
CodeArtifact Repository with an Upstream Repository and External Connection

This template creates a CodeArtifact domain named 'my-domain' to store repositories. It also creates two CodeArtifact repositories: 'my-repo' and 'my-upstream-repo' within the domain. 'my-repo' has 'my-upstream-repo' configured as an upstream repository, and 'my-upstream-repo' has an external connection to the public repository, npmjs.

CloudFormationTerraform
AWS CodeArtifact Domain with Permissions Policy

Creates an AWS CodeArtifact domain with an associated KMS key for encryption and sets a permissions policy allowing repository creation.

Terraform
AWS CodeArtifact Repository with KMS and Domain

Creates an AWS CodeArtifact repository within a domain that uses a KMS key for encryption.

Terraform
AWS CodeArtifact Repository Permissions Policy Setup

Sets up a CodeArtifact repository with a KMS key for encryption and defines a permissions policy allowing read access.

Terraform
CodeDeploy
CodeDeploy Configuration with Automatic Rollback Configuration and Notification.

This template configures automatic rollback for the deployment group.

CloudFormationTerraform
CodeDeploy Deployment for Load Balancer Target Group

This template specifies the target group to use in a deployment. Instances are registered as targets in a target group, and traffic is routed to the target group.

CloudFormationTerraform
CodeDeploy Deployment with Billing Alarm

This template configures a billing alarm and a notification trigger for the deployment group.

CloudFormationTerraform
CodeDeploy Sample Deployment Config

This template creates an AWS CodeDeploy deployment configuration with a minimum healthy hosts value of 75%. The deployment configuration specifies the number or percentage of instances that must remain available during a deployment.

CloudFormationTerraform
CodeDeploy with Load Balancer Deployment

This template configures an Elastic Load Balancing load balancer for the deployment group. The template configures a new Load balancer with a a new VPC and Subnet (as well as an internet gateway for the public subnet).The template also includes an SNS topic for trigger notifications (Failure and Success events).

CloudFormationTerraform
Blue Green Deployment with Servers and Classic ELB

Implements a blue-green deployment strategy for server-based applications using a classic ELB, with options for handling deployment timeouts and instance termination.

Terraform
Basic CodeDeploy Deployment Group Setup with EC2 Tag Filters and SNS Notifications

Sets up a basic AWS CodeDeploy deployment group with EC2 tag filters and SNS notifications for deployment failures.

Terraform
Blue Green Deployment with ECS using CodeDeploy

Configures a blue-green deployment for ECS services using AWS CodeDeploy, including setup for load balancers and traffic routing.

Terraform
CodeStar
CodeStar GitHub Repository

This template creates a private GitHub repository with issues enabled. It specifies the source code ZIP file location in an S3 bucket, enables issues, sets the repository as private, and provides a repository access token. The repository is described with a name, description, and owner.

CloudFormationTerraform
CodeStar Bitbucket Connection Configuration

This template creates a connection with Bitbucket. The connection is created using the AWS::CodeStarConnections::Connection resource. The connection is given a name 'MyConnection' and the provider type is set to 'Bitbucket'. The connection is also tagged with a key 'Project' and a value 'ProjectB'.

CloudFormationTerraform
CodeStar GitHub Enterprise Server Connection Configuration

This template creates a connection with GitHub Enterprise Server. The connection is created using the AWS::CodeStarConnections::Connection resource. The connection is given a name 'MyConnection' and the provider type is set to 'GitHubEnterpriseServer'. The connection also specifies a host ARN 'arn:aws:codestar-connections:us-west-2:123456789123:host/abc123-example'. The connection is also tagged with a key 'Project' and a value 'ProjectB'.

CloudFormationTerraform
CodeStar Notification Rule

This template creates a notification rule for a resource. The rule specifies the events you want notifications about and the targets where you want to receive them. The example creates a notification rule named 'My Notification Rule for Comments on Commits' for a CodeCommit repository. It specifies the event type 'codecommit-repository-comments-on-commits' and sets the target as an SNS topic with the a subscription to email address email@example.com. The notification rule is also tagged with a key-value pair indicating the team that owns the rule.

CloudFormationTerraform
Config Rule
Codebuild Project Environment Variables AWS CRED Check

A config rule that checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials.

CloudFormationTerraformAWS CLI
CodeBuild Project Source Repo Url Check

A config rule that checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password. The rule is COMPLIANT with the usage of OAuth to grant authorization for accessing GitHub or Bitbucket repositories.

CloudFormationTerraformAWS CLI
CodePipeline Deployment Count Check

A Config rule that checks whether the first deployment stage of the AWS Codepipeline performs more than one deployment. Optionally checks if each of the subsequent remaining stages deploy to more than the specified number of deployments (deploymentLimit).

CloudFormationTerraformAWS CLI
CodePipeline Region Fanout Check

A Config rule that checks if each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number. The first deployment stage can deploy to a maximum of one region and the second deployment stage can deploy to a maximum number specified in the regionFanoutFactor. If you do not provide a regionFanoutFactor, by default the value is three. For example: If 1st deployment stage deploys to one region and 2nd deployment stage deploys to three regions, 3rd deployment stage can deploy to 12 regions, that is, sum of previous stages multiplied by the region fanout (three) number. The rule is NON_COMPLIANT if the deployment is in more than one region in 1st stage or three regions in 2nd stage or 12 regions in 3rd stage.

CloudFormationTerraformAWS CLI
CodeBuild Project Artifact Encryption Check

A Config rule that checks if an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is NON_COMPLIANT if ‘encryptionDisabled’ is set to ‘true’ for any primary or secondary (if present) artifact configurations.

CloudFormationTerraformAWS CLI
CodeBuild Project Logging Enabled Check

A Config rule that checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is NON_COMPLIANT if 'logsConfig' is not present or the status of all present log configurations is set to 'DISABLED'.

CloudFormationTerraformAWS CLI
CodeBuild Project S3 Logs Encrypted Check

A Config rule that checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if ‘encryptionDisabled’ is set to ‘true’ in a S3LogsConfig of a CodeBuild project.

CloudFormationTerraformAWS CLI
Check if CodeBuild project environment has privileged mode enabled

Checks if an AWS CodeBuild project environment has privileged mode enabled. The rule is NON_COMPLIANT for a CodeBuild project if ‘privilegedMode’ is set to ‘true’.

CloudFormationTerraform
IAM Policy
Allow Read Access to an AWS CodeCommit Repository

An IAM policy that allows Read access to a specific CodeCommit repository. This policy also provides the permissions necessary to complete this action programmatically and in the console.

CloudFormationTerraformAWS CLI
AWS CodeCommit: Allow a User to Use Git for a Single Repository

An IAM policy that allows a user to use Git to pull from, and push to, a specific AWS CodeCommit repository.

CloudFormationTerraformAWS CLI
AWS CodeCommit: Deny Write Access to Specific Branches in a Repository

An IAM policy that denies a user the ability to change or push changes to a specific branch in a specific AWS CodeCommit repository.

CloudFormationTerraformAWS CLI
AWS CodeBuild: Allow a User to Create Build Projects

An IAM policy that allows a user to create build projects using only the specified AWS CodeBuild service role.

CloudFormationTerraformAWS CLI
AWS CodeBuild: Allow a User to Delete Build Projects

An IAM policy that allows a user to delete build projects.

CloudFormationTerraformAWS CLI
AWS CodeBuild: Allow a User to Change Information About Build Projects

An IAM policy that allows a user to change information about build projects using only the specified AWS CodeBuild service role.

CloudFormationTerraformAWS CLI
AWS CodePipeline: Grant Permissions to Approve or Reject Manual Approval Actions

An IAM policy that grants permissions to approve or reject manual approval actions in a specific pipeline.

CloudFormationTerraformAWS CLI
AWS CodePipeline: Grant Permissions to Enable and Disable Transitions Between Stages

An IAM policy that grants permissions to disable and enable transitions between all stages in a specific pipeline.

CloudFormationTerraformAWS CLI