Ensure Customer Managed Key (CMK) is used to encrypt AWS Codebuild Project

MEDIUM

Description

After configuring Identity and Access Management (IAM) settings for a CodeBuild project, a key can be configured to encrypt the build artifact data. By default an AWS managed key is used, however it is recommended to use a customer managed key for this process. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/codebuild/latest/userguide/setting-up.html

Remediation

Data at-rest, which can include build artifacts and results, is encrypted by default using AWS provided/managed keys. To use customer managed keys, follow the AWS documentation for creating, storing, and selecting these keys.

In Terraform -

  1. In the aws_codebuild_project resource, set the encryption_key field to a valid key ID.

References:
https://docs.aws.amazon.com/codebuild/latest/userguide/security-encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project

Policy Details

Rule Reference ID: AC_AWS_0446
CSP: AWS
Remediation Available: Yes
Resource Category: Management
Resource Type: CodeBuild

Frameworks