CodeBuild Project encryption is disabled
ID |
codebuild_project_encryption_disabled |
Severity |
high |
Vendor |
AWS |
Resource |
CodeBuild |
Tags |
reachable |
Description
AWS CodeBuild is a fully managed build service in the cloud. CodeBuild compiles source code, runs unit tests, and produces artifacts that are ready to deploy. Build artifacts, such as a cache, logs, exported raw test report data files, and build results, are encrypted by default using keys for Amazon S3 that are managed by the AWS Key Management Service.
Such encryption could be disabled, but this could be a security issue that could lead to leaks of sensitive information and even the tampering of build artifacts.
See the documentation for codebuild_project for further details.
The detector can optionally check that an explicit KMS key is used for encryption of the build output. The enforceExplicitKey detector property could be used to enable this option.
Examples
CloudFormation
{
"Resources": {
"MyCodeBuildProject": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Artifacts": {
"EncryptionDisabled": true, (1)
"Location": "MyS3BucketName",
"Name": "/",
"Type": "S3"
}
}
}
}
}| 1 | EncryptionDisabled set to true means encryption is disabled. |
Resources:
MyCodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
EncryptionDisabled: True (1)
Location: MyS3BucketName
Name: /
Type: S3| 1 | EncryptionDisabled set to true means encryption is disabled. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyCodeBuildProject": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Artifacts": {
"EncryptionDisabled": false, (1)
"Location": "MyS3BucketName",
"Name": "/",
"Type": "S3"
}
}
}
}
}| 1 | EncryptionDisabled set to false means encryption is enabled. |
Resources:
MyCodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
EncryptionDisabled: False (1)
Location: MyS3BucketName
Name: /
Type: S3| 1 | EncryptionDisabled set to false means encryption is enabled. |