---
title: CodeBuild not encrypted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > CodeBuild not encrypted
---

# CodeBuild not encrypted

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-codebuild-not-encrypted` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Medium

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html)

### Description{% #description %}

Build projects must specify an explicit AWS KMS encryption key to protect build artifacts and outputs with a customer-controlled key and retain control over key policies, rotation, and auditability.

In CloudFormation, the `EncryptionKey` property on `AWS::CodeBuild::Project` (`Resources.<name>.Project.Properties.EncryptionKey`) must be defined and not `null`. It should reference an AWS KMS key ARN or a CloudFormation reference to an `AWS::KMS::Key`. Resources missing this property or with `EncryptionKey` set to `null` will be flagged as non-compliant.

Secure configuration example:

```yaml
MyCodeBuildProject:
  Type: AWS::CodeBuild::Project
  Properties:
    Name: my-project
    EncryptionKey: !GetAtt MyKmsKey.Arn
    # other required properties...
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
    CodeBuildProject:
      Project:
        Type: AWS::CodeBuild::Project
        Properties:
          Name: myProjectName
          Description: A description about my project
          EncryptionKey: "alias/alias-name"
          ServiceRole: !GetAtt ServiceRole.Arn
          Artifacts:
            Type: no_artifacts
          Environment:
            Type: LINUX_CONTAINER
            ComputeType: BUILD_GENERAL1_SMALL
            Image: aws/codebuild/java:openjdk-8
            EnvironmentVariables:
            - Name: varName
              Type: varType
              Value: varValue
          Source:
            Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
            Type: S3
          TimeoutInMinutes: 10
          Tags:
            - Key: Key1
              Value: Value1
            - Key: Key2
              Value: Value2
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
    CodeBuildProject:
      Project:
        Type: AWS::CodeBuild::Project
        Properties:
          Name: myProjectName
          Description: A description about my project
          ServiceRole: !GetAtt ServiceRole.Arn
          Artifacts:
            Type: no_artifacts
          Environment:
            Type: LINUX_CONTAINER
            ComputeType: BUILD_GENERAL1_SMALL
            Image: aws/codebuild/java:openjdk-8
            EnvironmentVariables:
            - Name: varName
              Type: varType
              Value: varValue
          Source:
            Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
            Type: S3
          TimeoutInMinutes: 10
          Tags:
            - Key: Key1
              Value: Value1
            - Key: Key2
              Value: Value2
```