Undocumented AWS CodeBuild Endpoints Expose Privileged Tokens: Mitigation Strategies for Lateral Movement Risks

Introduction & Threat Overview Undocumented AWS CodeBuild endpoints represent a critical security vulnerability, enabling unauthorized extraction of privileged tokens from AWS CodeConnections. These tokens, typically GitHub App tokens or BitBucket JWT App tokens , serve as master keys, granting extensive access across organizational codebases. This vulnerability is not theoretical but an active exploit vector, facilitating lateral movement and privilege escalation within cloud-native CI/CD pipelines. A single compromised CodeBuild job can thus become a pivot point for broader infrastructure compromise. The exploitation mechanism hinges on the bootstrapping phase of a CodeBuild job, where the system initiates API requests prior to executing user code. By intercepting these requests, attackers can identify and leverage undocumented endpoints that bypass AWS’s documented APIs to retrieve raw tokens. These endpoints, being undocumented, remain invisible to developers and security teams, ex