CodeBuild build artifacts encryption should not be disabled
- GG_ID: GG_IAC_0029
- Severity: HIGH
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
CodeBuild uses artifacts such as a cache, logs, exported raw test report data files, and build results. Those should always be encrypted to protect the data if accesses are compromised.
An attacker could read the CodeBuild build artifacts if it gains access to the AWS account.
Do not disable the CodeBuild build artifacts encryption.