---
title: CodeBuild project is not encrypted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > CodeBuild project is not encrypted
---

# CodeBuild project is not encrypted

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `a1423864-2fbc-4f46-bfe1-fbbf125c71c9`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/codebuild_project_module.html)

### Description{% #description %}

CodeBuild projects must have a KMS encryption key configured so build artifacts, cached data, and logs are protected at rest.

For Ansible resources using the `community.aws.codebuild_project` or `aws_codebuild` modules, the `encryption_key` property must be defined and set to a valid AWS KMS key ARN or alias (for example `arn:aws:kms:...` or `alias/your-key-alias`). Resources missing `encryption_key` or with it undefined are flagged.

Example secure task:

```yaml
- name: create codebuild project
  community.aws.codebuild_project:
    name: my-build
    encryption_key: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-123456ef7890
    # other required properties...
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: My project v2
  community.aws.codebuild_project:
    description: My nice little project
    service_role: arn:aws:iam::123123:role/service-role/code-build-service-role
    source:
      type: CODEPIPELINE
      buildspec: ''
    artifacts:
      namespaceType: NONE
      packaging: NONE
      type: CODEPIPELINE
      name: my_project
    environment:
      computeType: BUILD_GENERAL1_SMALL
      privilegedMode: 'true'
      image: aws/codebuild/docker:17.09.0
      type: LINUX_CONTAINER
    encryption_key: arn:aws:kms:us-east-1:123123:alias/aws/s3
    region: us-east-1
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: My project
  community.aws.codebuild_project:
    description: My nice little project v2
    service_role: "arn:aws:iam::123123:role/service-role/code-build-service-role"
    source:
      type: CODEPIPELINE
      buildspec: ''
    artifacts:
      namespaceType: NONE
      packaging: NONE
      type: CODEPIPELINE
      name: my_project
    environment:
      computeType: BUILD_GENERAL1_SMALL
      privilegedMode: "true"
      image: "aws/codebuild/docker:17.09.0"
      type: LINUX_CONTAINER
    region: us-east-1
    state: present
```