CodeBuild Project artifacts encryption should not be disabled
Default Severity: high
Explanation
All artifacts produced by your CodeBuild project pipeline should always be encrypted
Possible Impact
CodeBuild project artifacts are unencrypted
Suggested Resolution
Enable encryption for CodeBuild project artifacts
Insecure Example
The following example will fail the aws-codebuild-enable-encryption check.
resource "aws_codebuild_project" "bad_example" {
// other config
artifacts {
// other artifacts config
encryption_disabled = true
}
}
resource "aws_codebuild_project" "bad_example" {
// other config including primary artifacts
secondary_artifacts {
// other artifacts config
encryption_disabled = false
}
secondary_artifacts {
// other artifacts config
encryption_disabled = true
}
}
Secure Example
The following example will pass the aws-codebuild-enable-encryption check.
resource "aws_codebuild_project" "good_example" {
// other config
artifacts {
// other artifacts config
encryption_disabled = false
}
}
resource "aws_codebuild_project" "good_example" {
// other config
artifacts {
// other artifacts config
}
}
resource "aws_codebuild_project" "codebuild" {
// other config
secondary_artifacts {
// other artifacts config
encryption_disabled = false
}
secondary_artifacts {
// other artifacts config
}
}