Bulletin ID: 2026-002-AWS
Scope: AWS
Content Type: Informational
Publication Date: 2026/01/15 07:03 AM PST
 

Description:

A security research team identified a configuration issue affecting the following AWS-managed open source GitHub repositories that could have resulted in the introduction of inappropriate code:

• aws-sdk-js-v3
• aws-lc
• amazon-corretto-crypto-provider
• awslabs/open-data-registry

Specifically, researchers identified the above repositories' configured regular expressions for AWS CodeBuild webhook filters intended to limit trusted actor IDs were insufficient, allowing a predictably acquired actor ID to gain administrative permissions for the affected repositories. We can confirm these were project-specific misconfigurations in webhook actor ID filters for these repositories and not an issue in the CodeBuild service itself. The researchers carefully demonstrated access to commit inappropriate code to one repository and promptly informed AWS Security of their research activity and its potential negative impact.

No inappropriate code was introduced to any of the affected repositories during this security research activity and these activities had no impact to any AWS customer environments and did not impact any AWS services or infrastructure. No customer action is required.

AWS immediately investigated and remediated all reported concerns highlighted by this research. The core issue of actor ID filter bypass due to insufficient regular expressions for the identified repositories was mitigated within 48 hours of initial disclosure. Additional mitigations were implemented, including credential rotations and further protections of build processes that contain GitHub tokens or any other credentials in memory.

Furthermore, AWS audited all other AWS-managed open source GitHub repositories to ensure no such misconfigurations exist across the entirety of AWS open source projects. Finally, AWS audited the logs of those public build repositories as well as associated CloudTrail logs and determined that no other actor has taken advantage of this demonstrated issue.

This research reinforced the importance of auditing AWS CodeBuild environments to ensure any access controls based on the ACTOR_ID filter are properly scoped and configured to their allow-listed identities only. Along with other security best practices within AWS documentation, the use of CodeBuild’s pull request build policies feature is an additional defense in depth mechanism for CI/CD security concerns.

References:

• Best practices for using webhooks with AWS CodeBuild
• Pull request comment approval

Acknowledgement:

We would like to thank Wiz Security’s research team for their work in identifying this issue and their responsible collaboration with us to ensure that our customers remain protected and secure.

Please email aws-security@amazon.com with any security questions or concerns.