AWS CodeBuild controls
These controls are related to CodeBuild resources.
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
Related requirements: PCI DSS v3.2.1/8.2.1, NIST.800-53.r5 SA-3
Category: Protect > Secure development
Severity: Critical
Resource type:
AWS::CodeBuild::Project
AWS Config rule:
codebuild-project-source-repo-url-check
Schedule type: Change triggered
Parameters: None
This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
This control isn't supported in the following Regions:
-
Africa (Cape Town)
-
Asia Pacific (Hyderabad)
-
Europe (Milan)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Sign-in credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or sign-in credentials, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories. Using personal access tokens or sign-in credentials could expose your credentials to unintended data exposure and unauthorized access.
Remediation
You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
Open the CodeBuild console at https://console.aws.amazon.com/codebuild/
. -
Choose the build project that contains personal access tokens or a user name and password.
-
From Edit, choose Source.
-
Choose Disconnect from GitHub / Bitbucket.
-
Choose Connect using OAuth, then choose Connect to GitHub / Bitbucket.
-
When prompted, choose authorize as appropriate.
-
Reconfigure your repository URL and additional configuration settings, as needed.
-
Choose Update source.
For more information, refer to CodeBuild use case-based samples in the AWS CodeBuild User Guide.
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
Related requirements: PCI DSS v3.2.1/8.2.1, NIST.800-53.r5 IA-5(7), NIST.800-53.r5 SA-3
Category: Protect > Secure development
Severity: Critical
Resource type:
AWS::CodeBuild::Project
AWS Config rule:
codebuild-project-envvar-awscred-check
Schedule type: Change triggered
Parameters: None
This control checks whether the project contains the environment variables
AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
Authentication credentials AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
should never be stored in clear text, as this could lead to
unintended data exposure and unauthorized access.
This control isn't supported in the following Regions:
-
Africa (Cape Town)
-
Asia Pacific (Hyderabad)
-
Europe (Milan)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Remediation
To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
Open the CodeBuild console at https://console.aws.amazon.com/codebuild/
. -
Expand Build.
-
Choose Build project, and then choose the build project that contains plaintext credentials.
-
From Edit, choose Environment.
-
Expand Additional configuration.
-
Choose Remove next to the environment variables.
-
Choose Update environment.
To store sensitive values in the AWS Systems Manager Parameter Store and then retrieve them from your build spec
Open the CodeBuild console at https://console.aws.amazon.com/codebuild/
. -
Expand Build.
-
Choose Build project, and then choose the build project that contains plaintext credentials.
-
From Edit, choose Environment.
-
Expand Additional configuration and scroll to Environment variables.
-
Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
-
After you create the parameter, copy the parameter name.
-
Back in the CodeBuild console, choose Create environmental variable.
-
Enter the name of your variable as it appears in your build spec.
-
For Value, paste the name of your parameter.
-
For Type, choose Parameter.
-
To remove your noncompliant environmental variable that contains plaintext credentials, choose Remove.
-
Choose Update environment.
For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.
[CodeBuild.3] CodeBuild S3 logs should be encrypted
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data-at-rest
Severity: Low
Resource type:
AWS::CodeBuild::Project
AWS Config rule:
codebuild-project-s3-logs-encrypted
Schedule type: Change triggered
Parameters: None
This control checks if Amazon S3 logs for an AWS CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project.
Encryption of data at rest is a recommended best practice to add a layer of access management around your data. Encrypting the logs at rest reduces the risk that a user not authenticated by AWS will access the data stored on disk. It adds another set of access controls to limit the ability of unauthorized users to access the data.
This control isn't supported in the following Regions:
-
Asia Pacific (Hyderabad)
-
Asia Pacific (Jakarta)
-
Asia Pacific (Osaka)
-
China (Beijing)
-
China (Ningxia)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Remediation
To change the encryption settings for CodeBuild project S3 logs, see Change a build project's settings in AWS CodeBuild in the AWS CodeBuild User Guide.
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
Related requirements: NIST.800-53.r5 AC-2(12), NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8)
Category: Identify > Logging
Severity: Medium
Resource type:
AWS::CodeBuild::Project
AWS Config rule:
codebuild-project-logging-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether a CodeBuild project environment has at least one log option, either to S3 or CloudWatch logs enabled. This control fails if a CodeBuild project environment does not have at least one log option enabled.
From a security perspective, logging is an important feature to enable for future forensics efforts in the case of any security incidents. Correlating anomalies in CodeBuild projects with threat detections can increase confidence in the accuracy of those threat detections.
This control isn't supported in the following Regions:
-
Asia Pacific (Hyderabad)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
Remediation
For more information on how to configure CodeBuild project log settings, see Create a build project (console) in the CodeBuild User Guide.
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2)
Category: Protect > Secure Access Management
Severity: High
Resource type:
AWS::CodeBuild::Project
AWS Config rule:
codebuild-project-environment-privileged-check
Schedule type: Change triggered
Parameters: None
This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled.
By default, Docker containers do not allow access to any devices. Privileged mode grants a build project's Docker container access to all devices. Setting privilegedMode
with value true
enables running the Docker daemon inside a Docker container. The Docker daemon listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. This parameter should only be set to true if the build project is used to build Docker images. Otherwise, this setting should be disabled to prevent unintended access to Docker APIs as well as the container's underlying hardware as unintended access to privilegedMode
may risk malicious tampering or deletion of critical resources.
This control isn't supported in the following Regions:
-
Asia Pacific (Hyderabad)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
Remediation
For more information on how to configure CodeBuild project environment settings, see Create a build project (console) in the CodeBuild User Guide