Ensure CodeBuild project encryption is not disabled (Artifacts)

Error: CodeBuild project encryption is disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_30
Checkov Check ID: CKV_AWS_78
Severity: MEDIUM

CodeBuild project encryption is disabled

Description

AWS CodeBuild is a fully managed build service in the cloud. CodeBuild compiles your source code, runs unit tests, and produces artifacts that are ready to deploy. Build artifacts, such as a cache, logs, exported raw test report data files, and build results, are encrypted by default using CMKs for Amazon S3 that are managed by the AWS Key Management Service. If you do not want to use these CMKs, you must create and configure a customer-managed CMK.

Fix - Buildtime

Terraform

  • Resource: aws_codebuild_project
  • Arguments: encryption_disabled - (Optional) If set to true, output artifacts will not be encrypted. If type is set to NO_ARTIFACTS then this value will be ignored. Defaults to false.
    To fix, either set to false or remove attribute.
resource "aws_codebuild_project" "project-with-cache" {
  ...
  name           = "test-project-cache"
  artifacts {
+    encryption_disabled = false
  }
  ...
}

CloudFormation

  • Resource: AWS::CodeBuild::Project
  • Arguments: Properties.Artifacts - (Optional) If set to true, output artifacts will not be encrypted. If type is set to NO_ARTIFACTS then this value will be ignored. Defaults to false.
Resources: 
  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties: 
      ...
      Artifacts:
        ...
				Type: S3       
-				EncryptionDisabled: True
+				EncryptionDisabled: False