Skip to content

CodeBuild Project artifacts encryption should not be disabled

Default Severity: high

Explanation

All artifacts produced by your CodeBuild project pipeline should always be encrypted

Possible Impact

CodeBuild project artifacts are unencrypted

Suggested Resolution

Enable encryption for CodeBuild project artifacts

Insecure Example

The following example will fail the aws-codebuild-enable-encryption check.

 resource "aws_codebuild_project" "bad_example" {
    // other config

    artifacts {
        // other artifacts config

        encryption_disabled = true
    }
 }

 resource "aws_codebuild_project" "bad_example" {
    // other config including primary artifacts

    secondary_artifacts {
        // other artifacts config

        encryption_disabled = false
    }

    secondary_artifacts {
        // other artifacts config

        encryption_disabled = true
    }
 }

Secure Example

The following example will pass the aws-codebuild-enable-encryption check.

 resource "aws_codebuild_project" "good_example" {
    // other config

    artifacts {
        // other artifacts config

        encryption_disabled = false
    }
 }

 resource "aws_codebuild_project" "good_example" {
    // other config

    artifacts {
        // other artifacts config
    }
 }

 resource "aws_codebuild_project" "codebuild" {
    // other config

    secondary_artifacts {
        // other artifacts config

        encryption_disabled = false
    }

    secondary_artifacts {
        // other artifacts config
    }
 }