Skip to main content

CodeBuild build artifacts encryption should not be disabled

  • GG_ID: GG_IAC_0029
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True

Description#

CodeBuild uses artifacts such as a cache, logs, exported raw test report data files, and build results. Those should always be encrypted to protect the data if accesses are compromised.

Impact#

An attacker could read the CodeBuild build artifacts if it gains access to the AWS account.

Remediation guidelines#

Do not disable the CodeBuild build artifacts encryption.

External documentation#