AWS Security ChangesHomeSearch

AWS codebuild high security documentation change

Service: codebuild · 2025-05-16 · Security-related high

File: codebuild/latest/userguide/action-runner-troubleshoot-webhook.md

Summary

Added troubleshooting guidance for GitHub deployment protection rule misconfigurations

Security assessment

The change documents a security-related misconfiguration where builds could trigger before deployment approval, emphasizing proper permissions to prevent unauthorized execution.

Diff

diff --git a/codebuild/latest/userguide/action-runner-troubleshoot-webhook.md b/codebuild/latest/userguide/action-runner-troubleshoot-webhook.md
index ad2a3579a..2b186bc39 100644
--- a//codebuild/latest/userguide/action-runner-troubleshoot-webhook.md
+++ b//codebuild/latest/userguide/action-runner-troubleshoot-webhook.md
@@ -60,0 +61,6 @@ After finding the webhook delivery you're looking to debug and noting the delive
+**Issue:** Your GitHub Actions with [deployment protection](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/reviewing-deployments) rules enabled triggers builds within CodeBuild before the deployment has been approved.
+
+**Possible causes:** CodeBuild fetches the deployment and environment associated with the GitHub Actions job if they exist to verify if the is approved. If CodeBuild fails to fetch either the deployment or environment, the CodeBuild build may be triggered prematurely.
+
+**Recommended solutions:** Verify that the credentials associated with your CodeBuild projects have read permissions for deployments and actions within GitHub.
+