CodeBuild project is not encrypted

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: a1423864-2fbc-4f46-bfe1-fbbf125c71c9

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Encryption

Learn More

Description

CodeBuild projects must have a KMS encryption key configured so build artifacts, cached data, and logs are protected at rest.

For Ansible resources using the community.aws.codebuild_project or aws_codebuild modules, the encryption_key property must be defined and set to a valid AWS KMS key ARN or alias (for example arn:aws:kms:... or alias/your-key-alias). Resources missing encryption_key or with it undefined are flagged.

Example secure task:

- name: create codebuild project
  community.aws.codebuild_project:
    name: my-build
    encryption_key: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-123456ef7890
    # other required properties...

Compliant Code Examples

- name: My project v2
  community.aws.codebuild_project:
    description: My nice little project
    service_role: arn:aws:iam::123123:role/service-role/code-build-service-role
    source:
      type: CODEPIPELINE
      buildspec: ''
    artifacts:
      namespaceType: NONE
      packaging: NONE
      type: CODEPIPELINE
      name: my_project
    environment:
      computeType: BUILD_GENERAL1_SMALL
      privilegedMode: 'true'
      image: aws/codebuild/docker:17.09.0
      type: LINUX_CONTAINER
    encryption_key: arn:aws:kms:us-east-1:123123:alias/aws/s3
    region: us-east-1
    state: present

Non-Compliant Code Examples

- name: My project
  community.aws.codebuild_project:
    description: My nice little project v2
    service_role: "arn:aws:iam::123123:role/service-role/code-build-service-role"
    source:
      type: CODEPIPELINE
      buildspec: ''
    artifacts:
      namespaceType: NONE
      packaging: NONE
      type: CODEPIPELINE
      name: my_project
    environment:
      computeType: BUILD_GENERAL1_SMALL
      privilegedMode: "true"
      image: "aws/codebuild/docker:17.09.0"
      type: LINUX_CONTAINER
    region: us-east-1
    state: present