You are using the AWS CodeBuild service to handle the build task in a CI/CD pipeline.
In the pre-build phase of buildspec.yml, there is a docker login command such as “docker login -u $USER_NAME -p $LOGIN_PASSWORD”
And its user name and password are provided as variables in the env phase in the same buildspec.yml file.
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
The security issue for this case is that the credentials are exposed in the buildspec.yml file.
Approaches should be taken to prevent this.
Check on.
https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.htmlfor the specifications of the buildspec.yml file.
Option A is CORRECT: Because Systems Manager parameter store is an ideal place to store sensitive data.
In buildspec.yml, parameter store is used as below:
env:
variables:
key: "value"
key: "value"
parameter-store:
key: "value"
key: "value"
Option B is incorrect: Because AWS CodeCommit still has the same issue as GitHub.
And credentials should not be put in buildspec.yml.
Option C is incorrect: This can be regarded as a prevention action.
However, it does not fix the problem essentially.
Option D is incorrect: Because for the env phase of buildspec.yml, it cannot use the file in an S3 bucket.
The correct answer is D.
Explanation:
AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy. It supports many programming languages, including Java, Ruby, Python, and Go. AWS CodeBuild runs builds in Docker containers, which are specified in a buildspec.yml file.
In the pre-build phase of buildspec.yml, there is a docker login command such as “docker login -u $USER_NAME -p $LOGIN_PASSWORD”. This command is used to authenticate with the Docker registry before pushing or pulling images. The user name and password are provided as variables in the env phase in the same buildspec.yml file.
It is important to secure the user name and password in the buildspec.yml file to prevent unauthorized access. Here are the explanations of the other options and why they are not correct:
A. In the env phase of the buildspec.yml file, use parameter-store to specify the user name and password. The values are stored in the Systems Manager parameter store.
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. It is a good practice to store secrets in Parameter Store rather than storing them in the buildspec.yml file. However, storing the values in Parameter Store does not eliminate the need for securing the buildspec.yml file. The file can still be accessed by unauthorized users, which can lead to a security breach.
B. Store the buildspec.yml file in AWS CodeCommit rather than GitHub as IAM rules can be configured in CodeCommit to ensure the security.
AWS CodeCommit is a fully managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories. It provides IAM-based authentication and authorization to secure the repositories. However, storing the buildspec.yml file in CodeCommit does not address the security concern of storing secrets in the file. IAM rules can only control who can access the repository, but they cannot control who can access the file.
C. Add a strong IAM rule in AWS CodeBuild to make sure that only limited users can access the buildspec.yml file.
AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. You can use IAM to create and manage AWS users and groups, and assign permissions to them. Adding a strong IAM rule in AWS CodeBuild can limit the users who can access the buildspec.yml file. However, it does not address the security concern of storing secrets in the file. If an unauthorized user gains access to the file, they can still obtain the user name and password.
D. Store the credentials in a file and put the file in an S3 bucket. Encrypt the S3 bucket via SSE-S3. Modify the buildspec.yml file to use the encrypted file in the S3 bucket.
Storing the credentials in a file and putting the file in an S3 bucket is a good practice to secure secrets in AWS. You can encrypt the S3 bucket using server-side encryption with Amazon S3-managed keys (SSE-S3). SSE-S3 helps you protect data at rest by automatically encrypting your data before it is written to disk. You can also use AWS KMS-managed keys or customer-provided keys to encrypt the S3 bucket. Modifying the buildspec.yml file to use the encrypted file in the S3 bucket ensures that the user name and password are not exposed in the file.
Therefore, option D is the correct answer.