For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-codebuild-not-encrypted.md.
A documentation index is available at /llms.txt.
Build projects must specify an explicit AWS KMS encryption key to protect build artifacts and outputs with a customer-controlled key and retain control over key policies, rotation, and auditability.
In CloudFormation, the EncryptionKey property on AWS::CodeBuild::Project (Resources.<name>.Project.Properties.EncryptionKey) must be defined and not null. It should reference an AWS KMS key ARN or a CloudFormation reference to an AWS::KMS::Key. Resources missing this property or with EncryptionKey set to null will be flagged as non-compliant.
Secure configuration example:
MyCodeBuildProject:Type:AWS::CodeBuild::ProjectProperties:Name:my-projectEncryptionKey:!GetAtt MyKmsKey.Arn# other required properties...
Compliant Code Examples
AWSTemplateFormatVersion:2010-09-09Description:A sample templateResources:CodeBuildProject:Project:Type:AWS::CodeBuild::ProjectProperties:Name:myProjectNameDescription:A description about my projectEncryptionKey:"alias/alias-name"ServiceRole:!GetAtt ServiceRole.ArnArtifacts:Type:no_artifactsEnvironment:Type:LINUX_CONTAINERComputeType:BUILD_GENERAL1_SMALLImage:aws/codebuild/java:openjdk-8EnvironmentVariables:- Name:varNameType:varTypeValue:varValueSource:Location:codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72cType:S3TimeoutInMinutes:10Tags:- Key:Key1Value:Value1- Key:Key2Value:Value2
{"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"A sample template","Resources":{"CodeBuildProject":{"Project":{"Type":"AWS::CodeBuild::Project","Properties":{"Name":"myProjectName","Description":"A description about my project","TimeoutInMinutes":10,"EncryptionKey":"alias/alias-name","ServiceRole":"ServiceRole.Arn","Artifacts":{"Type":"no_artifacts"},"Environment":{"Type":"LINUX_CONTAINER","ComputeType":"BUILD_GENERAL1_SMALL","Image":"aws/codebuild/java:openjdk-8","EnvironmentVariables":[{"Name":"varName","Type":"varType","Value":"varValue"}]},"Source":{"Location":"codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c","Type":"S3"},"Tags":[{"Key":"Key1","Value":"Value1"},{"Key":"Key2","Value":"Value2"}]}}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:2010-09-09Description:A sample templateResources:CodeBuildProject:Project:Type:AWS::CodeBuild::ProjectProperties:Name:myProjectNameDescription:A description about my projectServiceRole:!GetAtt ServiceRole.ArnArtifacts:Type:no_artifactsEnvironment:Type:LINUX_CONTAINERComputeType:BUILD_GENERAL1_SMALLImage:aws/codebuild/java:openjdk-8EnvironmentVariables:- Name:varNameType:varTypeValue:varValueSource:Location:codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72cType:S3TimeoutInMinutes:10Tags:- Key:Key1Value:Value1- Key:Key2Value:Value2
{"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"A sample template","Resources":{"CodeBuildProject":{"Project":{"Type":"AWS::CodeBuild::Project","Properties":{"Description":"A description about my project","ServiceRole":"ServiceRole.Arn","Artifacts":{"Type":"no_artifacts"},"Environment":{"Image":"aws/codebuild/java:openjdk-8","EnvironmentVariables":[{"Name":"varName","Type":"varType","Value":"varValue"}],"Type":"LINUX_CONTAINER","ComputeType":"BUILD_GENERAL1_SMALL"},"Source":{"Location":"codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c","Type":"S3"},"TimeoutInMinutes":10,"Tags":[{"Key":"Key1","Value":"Value1"},{"Key":"Key2","Value":"Value2"}],"Name":"myProjectName"}}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
