--- title: CodeBuild project encrypted with AWS managed key description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CodeBuild project encrypted with AWS managed key --- # CodeBuild project encrypted with AWS managed key {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-codebuild-project-encrypted-with-aws-managed-key` **Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_key) ### Description{% #description %} This check ensures that AWS CodeBuild projects are encrypted using customer-managed KMS keys rather than the default AWS-managed keys. Using the default AWS-managed key (for example, `encryption_key = data.aws_kms_key.by_alias.arn` with `key_id = "alias/aws/s3"`) limits your control over key rotation, access policies, and audit logging, potentially increasing the risk of unauthorized data access. To maximize security and compliance, the `encryption_key` attribute should reference a customer-managed KMS key (such as `key_id = "alias/myAlias"`), allowing organizations to fully manage encryption controls for sensitive CodeBuild project data. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform provider "aws" { region = "us-east-1" } data "aws_kms_key" "by_alias2" { key_id = "alias/myAlias" } # No policy attached to this role because it is for testing purposes resource "aws_iam_role" "codebuild2" { name = "codebuild-cloudrail-test" assume_role_policy = <