AWS CodeBuild controls - AWS Security Hub
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials[CodeBuild.3] CodeBuild S3 logs should be encrypted[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

AWS CodeBuild controls

These controls are related to CodeBuild resources.

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

Related requirements: PCI DSS v3.2.1/8.2.1, NIST.800-53.r5 SA-3

Category: Protect > Secure development

Severity: Critical

Resource type: AWS::CodeBuild::Project

AWS Config rule: codebuild-project-source-repo-url-check

Schedule type: Change triggered

Parameters: None

This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.

Note

This control isn't supported in the following Regions:

  • Africa (Cape Town)

  • Asia Pacific (Hyderabad)

  • Europe (Milan)

  • Europe (Spain)

  • Europe (Zurich)

  • Middle East (UAE)

  • AWS GovCloud (US-East)

  • AWS GovCloud (US-West)

Sign-in credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or sign-in credentials, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories. Using personal access tokens or sign-in credentials could expose your credentials to unintended data exposure and unauthorized access.

Remediation

You can update your CodeBuild project to use OAuth.

To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source

  1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.

  2. Choose the build project that contains personal access tokens or a user name and password.

  3. From Edit, choose Source.

  4. Choose Disconnect from GitHub / Bitbucket.

  5. Choose Connect using OAuth, then choose Connect to GitHub / Bitbucket.

  6. When prompted, choose authorize as appropriate.

  7. Reconfigure your repository URL and additional configuration settings, as needed.

  8. Choose Update source.

For more information, refer to CodeBuild use case-based samples in the AWS CodeBuild User Guide.

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

Related requirements: PCI DSS v3.2.1/8.2.1, NIST.800-53.r5 IA-5(7), NIST.800-53.r5 SA-3

Category: Protect > Secure development

Severity: Critical

Resource type: AWS::CodeBuild::Project

AWS Config rule: codebuild-project-envvar-awscred-check

Schedule type: Change triggered

Parameters: None

This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.

Note

This control isn't supported in the following Regions:

  • Africa (Cape Town)

  • Asia Pacific (Hyderabad)

  • Europe (Milan)

  • Europe (Spain)

  • Europe (Zurich)

  • Middle East (UAE)

  • AWS GovCloud (US-East)

  • AWS GovCloud (US-West)

Remediation

To remediate this issue, update your CodeBuild project to remove the environment variable.

To remove environment variables from a CodeBuild project

  1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.

  2. Expand Build.

  3. Choose Build project, and then choose the build project that contains plaintext credentials.

  4. From Edit, choose Environment.

  5. Expand Additional configuration.

  6. Choose Remove next to the environment variables.

  7. Choose Update environment.

To store sensitive values in the AWS Systems Manager Parameter Store and then retrieve them from your build spec

  1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.

  2. Expand Build.

  3. Choose Build project, and then choose the build project that contains plaintext credentials.

  4. From Edit, choose Environment.

  5. Expand Additional configuration and scroll to Environment variables.

  6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.

  7. After you create the parameter, copy the parameter name.

  8. Back in the CodeBuild console, choose Create environmental variable.

  9. Enter the name of your variable as it appears in your build spec.

  10. For Value, paste the name of your parameter.

  11. For Type, choose Parameter.

  12. To remove your noncompliant environmental variable that contains plaintext credentials, choose Remove.

  13. Choose Update environment.

For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.

[CodeBuild.3] CodeBuild S3 logs should be encrypted

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6)

Category: Protect > Data protection > Encryption of data-at-rest

Severity: Low

Resource type: AWS::CodeBuild::Project

AWS Config rule: codebuild-project-s3-logs-encrypted

Schedule type: Change triggered

Parameters: None

This control checks if Amazon S3 logs for an AWS CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project.

Encryption of data at rest is a recommended best practice to add a layer of access management around your data. Encrypting the logs at rest reduces the risk that a user not authenticated by AWS will access the data stored on disk. It adds another set of access controls to limit the ability of unauthorized users to access the data.

Note

This control isn't supported in the following Regions:

  • Asia Pacific (Hyderabad)

  • Asia Pacific (Jakarta)

  • Asia Pacific (Osaka)

  • China (Beijing)

  • China (Ningxia)

  • Europe (Spain)

  • Europe (Zurich)

  • Middle East (UAE)

  • AWS GovCloud (US-East)

  • AWS GovCloud (US-West)

Remediation

To change the encryption settings for CodeBuild project S3 logs, see Change a build project's settings in AWS CodeBuild in the AWS CodeBuild User Guide.

[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration

Related requirements: NIST.800-53.r5 AC-2(12), NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8)

Category: Identify > Logging

Severity: Medium

Resource type: AWS::CodeBuild::Project

AWS Config rule: codebuild-project-logging-enabled

Schedule type: Change triggered

Parameters: None

This control checks whether a CodeBuild project environment has at least one log option, either to S3 or CloudWatch logs enabled. This control fails if a CodeBuild project environment does not have at least one log option enabled.

From a security perspective, logging is an important feature to enable for future forensics efforts in the case of any security incidents. Correlating anomalies in CodeBuild projects with threat detections can increase confidence in the accuracy of those threat detections.

Note

This control isn't supported in the following Regions:

  • Asia Pacific (Hyderabad)

  • Europe (Spain)

  • Europe (Zurich)

  • Middle East (UAE)

Remediation

For more information on how to configure CodeBuild project log settings, see Create a build project (console) in the CodeBuild User Guide.

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2)

Category: Protect > Secure Access Management

Severity: High

Resource type: AWS::CodeBuild::Project

AWS Config rule: codebuild-project-environment-privileged-check

Schedule type: Change triggered

Parameters: None

This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled.

By default, Docker containers do not allow access to any devices. Privileged mode grants a build project's Docker container access to all devices. Setting privilegedMode with value true enables running the Docker daemon inside a Docker container. The Docker daemon listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. This parameter should only be set to true if the build project is used to build Docker images. Otherwise, this setting should be disabled to prevent unintended access to Docker APIs as well as the container's underlying hardware as unintended access to privilegedMode may risk malicious tampering or deletion of critical resources.

Note

This control isn't supported in the following Regions:

  • Asia Pacific (Hyderabad)

  • Europe (Spain)

  • Europe (Zurich)

  • Middle East (UAE)

Remediation

For more information on how to configure CodeBuild project environment settings, see Create a build project (console) in the CodeBuild User Guide