Profile Applicability:

  • Level 1

Description:

AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages for deployment. Logging is a critical part of the build process, allowing you to track build status, troubleshoot failures, and review build history. This SOP ensures that S3 or CloudWatch logging is enabled for CodeBuild projects, which helps to capture detailed logs of the build process for auditing, troubleshooting, and performance analysis.

Rationale:

  • Visibility: Enabling logging provides transparency into the build process, helping developers and administrators diagnose issues effectively.

  • Troubleshooting: Logs capture detailed information about build failures, environment variables, and outputs, aiding in faster identification of root causes.

  • Compliance and Auditing: Many compliance frameworks require logging of key activities, including the CI/CD pipeline. Having build logs stored securely in S3 or CloudWatch allows you to meet such requirements.

Impact:

Pros:

  • Improved Troubleshooting: Logs provide critical information needed to identify issues in the build process, enabling faster resolutions.

  • Enhanced Security and Auditing: Logs stored in S3 or CloudWatch are persistent, providing an audit trail for compliance.

  • Visibility: Enables better tracking and monitoring of CodeBuild project activity.

Cons:

  • Cost: Storing logs in S3 or CloudWatch may incur additional costs based on the volume of build data and log retention.

  • Storage Management: Proper storage and management practices (e.g., log rotation, retention policies) are required to prevent unnecessary storage costs from accumulated logs.

Default Value:

By default, CodeBuild projects do not have S3 or CloudWatch logging enabled unless explicitly configured during project setup.

Pre-requisite:

  • AWS IAM Permissions:

    • codebuild:UpdateProject

    • codebuild:BatchGetProjects

    • logs:CreateLogGroup

    • logs:CreateLogStream

    • logs:PutLogEvents

    • s3:PutObject

    • s3:GetObject

  • AWS CLI installed and configured.

  • Ensure that either Amazon S3 or Amazon CloudWatch Logs are available for logging.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS CodeBuild under Services.

  3. In the CodeBuild Dashboard, select Build Projects.

  4. For each CodeBuild project, check the Logging configuration:

    • CloudWatch Logs: Ensure that CloudWatch Logs are configured under the Logs section, and logs are being sent to a CloudWatch Log Group.

    • S3 Logs: Verify that S3 logging is enabled and that the project logs are being sent to the specified S3 bucket.

  5. If logging is not configured, follow the steps to enable either S3 or CloudWatch Logs.

Using AWS CLI:

  1. To list all CodeBuild projects, run:

    aws codebuild list-projects --query 'projects'

  2. To describe a specific CodeBuild project and check its logging configuration:

    aws codebuild batch-get-projects --names <project-name> --query 'projects[*].logsConfig'

  3. Review the output to ensure that logsConfig contains either a CloudWatch Logs configuration or an S3 bucket for logging.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to AWS CodeBuild.

  2. In the CodeBuild Dashboard, select Build Projects and choose the project to review.

  3. Under the Logs section:

    • For CloudWatch Logs:

      • Ensure that CloudWatch Logs is selected as the logging destination.

      • Select or create a Log Group in CloudWatch Logs.

    • For S3 Logs:

      • Ensure that S3 is selected as the logging destination.

      • Specify the S3 bucket and the folder path where the logs will be stored.

  4. Save the changes to enable logging for the CodeBuild project.

Using AWS CLI:

  1. To enable CloudWatch Logs for a CodeBuild project, run:

    aws codebuild update-project --name <project-name> --logs-config '{"cloudWatchLogs": {"status": "ENABLED", "groupName": "<log-group-name>", "streamName": "<log-stream-name>"}}'

  2. To enable S3 logging for a CodeBuild project, run:

    aws codebuild update-project --name <project-name> --logs-config '{"s3Logs": {"status": "ENABLED", "location": "<s3-bucket-name>/<log-folder>"}}'

  3. Verify that logging is enabled by running:

    aws codebuild batch-get-projects --names <project-name> --query 'projects[*].logsConfig'

Backout Plan:

Using AWS Console:

  1. If enabling logging causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS CodeBuild and select the Project.

  3. Under Logs, disable CloudWatch Logs or S3 logging as needed.

  4. Save the changes.

Using AWS CLI:

  1. To disable CloudWatch Logs, run the following command:

    aws codebuild update-project --name <PROJECT_NAME> --logs-config cloudWatchLogsConfig={status=DISABLED} --region <REGION>

  2. To disable S3 logging, run the following command:

    aws codebuild update-project --name <PROJECT_NAME> --logs-config s3LogsConfig={status=DISABLED} --region <REGION>

  3. Verify that logging has been disabled by describing the CodeBuild Project again:

    aws codebuild batch-get-projects --names <PROJECT_NAME> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.