Ensure environment variables do not contain any credentials in AWS Codebuild Project

MEDIUM

Description

Using credentials in environment variables with commonly identifiable names may make the resource vulnerable to unauthorized access. It is recommended to use a secret manager or a key management service to store credentials instead of environment variables.

Remediation

In AWS Console -

Sign in to AWS Console and open the CodeBuild console.
Select Build project and then select the build project that contains plaintext credentials.
Select Environment from edit and expand additional configuration.
Click on remove button next to the environment variables.
Select Update environment.

In Terraform -

Ensure "environment_variable" doesn't contain values like 'AWS_ACCESS_KEY_ID' / 'AWS_SECRET_ACCESS_KEY'.

For more information on configuring a field-level encryption profile, see the AWS documentation.
References:
https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html

Policy Details

Rule Reference ID: AC_AWS_0545

CSP: AWS

Remediation Available: No

Domain: Data Protection

Resource: aws_codebuild_project

Resource Category: Management

Resource Type: CodeBuild

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA

Detections

Analytics