CodeBuild project is not encrypted
This product is not supported for your selected
Datadog site. (
).
Id: a1423864-2fbc-4f46-bfe1-fbbf125c71c9
Cloud Provider: AWS
Platform: Ansible
Severity: Medium
Category: Encryption
Learn More
Description
CodeBuild projects must have a KMS encryption key configured so build artifacts, cached data, and logs are protected at rest.
For Ansible resources using the community.aws.codebuild_project or aws_codebuild modules, the encryption_key property must be defined and set to a valid AWS KMS key ARN or alias (for example arn:aws:kms:... or alias/your-key-alias). Resources missing encryption_key or with it undefined are flagged.
Example secure task:
- name: create codebuild project
community.aws.codebuild_project:
name: my-build
encryption_key: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-123456ef7890
# other required properties...
Compliant Code Examples
- name: My project v2
community.aws.codebuild_project:
description: My nice little project
service_role: arn:aws:iam::123123:role/service-role/code-build-service-role
source:
type: CODEPIPELINE
buildspec: ''
artifacts:
namespaceType: NONE
packaging: NONE
type: CODEPIPELINE
name: my_project
environment:
computeType: BUILD_GENERAL1_SMALL
privilegedMode: 'true'
image: aws/codebuild/docker:17.09.0
type: LINUX_CONTAINER
encryption_key: arn:aws:kms:us-east-1:123123:alias/aws/s3
region: us-east-1
state: present
Non-Compliant Code Examples
- name: My project
community.aws.codebuild_project:
description: My nice little project v2
service_role: "arn:aws:iam::123123:role/service-role/code-build-service-role"
source:
type: CODEPIPELINE
buildspec: ''
artifacts:
namespaceType: NONE
packaging: NONE
type: CODEPIPELINE
name: my_project
environment:
computeType: BUILD_GENERAL1_SMALL
privilegedMode: "true"
image: "aws/codebuild/docker:17.09.0"
type: LINUX_CONTAINER
region: us-east-1
state: present
