CodeBuild Not Encrypted

  • Query id: d7467bb6-3ed1-4c82-8095-5e7a818d0aad
  • Query name: CodeBuild Not Encrypted
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Encryption
  • URL: Github

Description

CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
    CodeBuildProject:
      Project:
        Type: AWS::CodeBuild::Project
        Properties:
          Name: myProjectName
          Description: A description about my project
          ServiceRole: !GetAtt ServiceRole.Arn
          Artifacts:
            Type: no_artifacts
          Environment:
            Type: LINUX_CONTAINER
            ComputeType: BUILD_GENERAL1_SMALL
            Image: aws/codebuild/java:openjdk-8
            EnvironmentVariables:
            - Name: varName
              Type: varType
              Value: varValue
          Source:
            Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
            Type: S3
          TimeoutInMinutes: 10
          Tags:
            - Key: Key1
              Value: Value1
            - Key: Key2
              Value: Value2
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "CodeBuildProject": {
      "Project": {
        "Type": "AWS::CodeBuild::Project",
        "Properties": {
          "Description": "A description about my project",
          "ServiceRole": "ServiceRole.Arn",
          "Artifacts": {
            "Type": "no_artifacts"
          },
          "Environment": {
            "Image": "aws/codebuild/java:openjdk-8",
            "EnvironmentVariables": [
              {
                "Name": "varName",
                "Type": "varType",
                "Value": "varValue"
              }
            ],
            "Type": "LINUX_CONTAINER",
            "ComputeType": "BUILD_GENERAL1_SMALL"
          },
          "Source": {
            "Location": "codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c",
            "Type": "S3"
          },
          "TimeoutInMinutes": 10,
          "Tags": [
            {
              "Key": "Key1",
              "Value": "Value1"
            },
            {
              "Key": "Key2",
              "Value": "Value2"
            }
          ],
          "Name": "myProjectName"
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
    CodeBuildProject:
      Project:
        Type: AWS::CodeBuild::Project
        Properties:
          Name: myProjectName
          Description: A description about my project
          EncryptionKey: "alias/alias-name"
          ServiceRole: !GetAtt ServiceRole.Arn
          Artifacts:
            Type: no_artifacts
          Environment:
            Type: LINUX_CONTAINER
            ComputeType: BUILD_GENERAL1_SMALL
            Image: aws/codebuild/java:openjdk-8
            EnvironmentVariables:
            - Name: varName
              Type: varType
              Value: varValue
          Source:
            Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
            Type: S3
          TimeoutInMinutes: 10
          Tags:
            - Key: Key1
              Value: Value1
            - Key: Key2
              Value: Value2
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "CodeBuildProject": {
      "Project": {
        "Type": "AWS::CodeBuild::Project",
        "Properties": {
          "Name": "myProjectName",
          "Description": "A description about my project",
          "TimeoutInMinutes": 10,
          "EncryptionKey": "alias/alias-name",
          "ServiceRole": "ServiceRole.Arn",
          "Artifacts": {
            "Type": "no_artifacts"
          },
          "Environment": {
            "Type": "LINUX_CONTAINER",
            "ComputeType": "BUILD_GENERAL1_SMALL",
            "Image": "aws/codebuild/java:openjdk-8",
            "EnvironmentVariables": [
              {
                "Name": "varName",
                "Type": "varType",
                "Value": "varValue"
              }
            ]
          },
          "Source": {
            "Location": "codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c",
            "Type": "S3"
          },
          "Tags": [
            {
              "Key": "Key1",
              "Value": "Value1"
            },
            {
              "Key": "Key2",
              "Value": "Value2"
            }
          ]
        }
      }
    }
  }
}