Skip to main content

CodeBuild build artifacts encryption should not be disabled

  • GG_ID: GG_IAC_0029
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


CodeBuild uses artifacts such as a cache, logs, exported raw test report data files, and build results. Those should always be encrypted to protect the data if accesses are compromised.


An attacker could read the CodeBuild build artifacts if it gains access to the AWS account.

Remediation guidelines#

Do not disable the CodeBuild build artifacts encryption.

External documentation#