Setting up GitHub with a personal access token and network access for a Lambda function | by Teri Radichel | Cloud Security | September 2023


ACM.316 Configuring fine-grained personal access token and network access to a GitHub organization for AWS NAT

Part of my series on Automation of cybersecurity measures. Lambda. NOTNetwork Security. GitHub Security. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article, I created an AWS Secrets Manager secret that has a policy that grants a Lambda function read-only access to the secret.

In this article, I want to clone a private repository to my container.

Remember that before doing this I did the following in previous articles:

  • Configure a private network with outbound access via NAT.
  • Locked inbound access to call the Lambda function to specific IP addresses via an SCP.
  • Configure Elastic Container Registry (ECR) and modify the resource policy so that Lambda can access the containers it contains.
  • Deploy a Lambda function that runs a container.
  • Created a custom runtime to run bash in the container.
  • Created a mechanism to test the Lambda container locally outside of the container service.
  • Deploying a secret to the Lambda function that the Lambda function can read and an administrator can modify.
  • Enabling Lambda event logging and enabling CloudWatch logs for Lambda.

All these articles are in this sub-series:

The steps above help prevent an attacker from obtaining our personal Github access token that we will add to AWS. Nothing is ever foolproof, but the attacker would not only have to gain credentials, but also network access. Additionally, the PAT will…

Leave a comment