CodeBuild project encryption is disabled
Description
AWS CodeBuild is a fully managed build service in the cloud, that compiles source code, runs unit tests, and produces artifacts that are ready to deploy.
We recommend enabling CodeBuild project encryption to protect sensitive information such as passwords and other credentials required to access external services during the build process, from security breaches.
NOTE: Build artifacts, such as a cache, logs, exported raw test report data files, and build results are encrypted by default using CMKs for Amazon S3 that are managed by the AWS Key Management Service.
If you do not want to use these CMKs, you must create and configure a customer-managed CMK.
Code Example
resource "aws_codebuild_project" "project-with-cache" {
...
name = "test-project-cache"
artifacts {
+ encryption_disabled = false
}
...
}Remediation
Terraform
- Resource: aws_codebuild_project
- Arguments: encryption_disabled - (Optional) If set to true, output artifacts will not be encrypted.
If type is set to NO_ARTIFACTS then this value will be ignored. Defaults to false. To fix, either set to false or remove attribute.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0131 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_78 |