CodeBuild build artifacts encryption should not be disabled
- GG_ID: GG_IAC_0029
- Severity: HIGH
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
Description#
CodeBuild uses artifacts such as a cache, logs, exported raw test report data files, and build results. Those should always be encrypted to protect the data if accesses are compromised.
Impact#
An attacker could read the CodeBuild build artifacts if it gains access to the AWS account.
Remediation guidelines#
Do not disable the CodeBuild build artifacts encryption.