Profile Applicability:
- Level 1
Description:
AWS CodeBuild allows you to define environment variables to be used during the build process. These environment variables may contain sensitive information such as API keys, credentials, or tokens. Storing sensitive information in plaintext environment variables can expose secrets to unauthorized access if the environment variables are logged or improperly handled. This SOP ensures that CodeBuild projects are configured to avoid the use of plaintext secrets in environment variables.
Rationale:
Security: Storing secrets in plaintext environment variables can lead to security vulnerabilities if those variables are exposed via logs or misconfigured access controls.
Compliance: Regulatory frameworks like PCI-DSS, HIPAA, and SOC 2 require sensitive data, such as API keys and user credentials, to be stored securely and encrypted.
Best Practices: Sensitive information should be stored securely, using solutions like AWS Secrets Manager, Parameter Store, or encrypted environment variables, rather than plaintext in CodeBuild.
Impact:
Pros:
Enhanced Security: By avoiding plaintext secrets, sensitive data is kept secure, reducing the risk of exposure.
Compliance: Ensures compliance with security best practices and regulatory requirements regarding secret management.
Visibility Control: Ensures that sensitive information is not inadvertently logged or exposed.
Cons:
Complexity: Setting up secure storage for environment variables requires configuring additional services like AWS Secrets Manager or Systems Manager Parameter Store.
Management Overhead: Requires more attention to key management, rotation, and proper access control.
Default Value:
By default, CodeBuild projects may allow environment variables to contain plaintext values, including secrets. This SOP ensures that sensitive information is never exposed in plaintext form within environment variables.
Pre-requisite:
AWS IAM Permissions:
codebuild:UpdateProject
codebuild:BatchGetProjects
secretsmanager:GetSecretValue (if using AWS Secrets Manager)
ssm:GetParameter (if using Systems Manager Parameter Store)
AWS CLI installed and configured.
Ensure that AWS Secrets Manager or AWS Systems Manager Parameter Store is set up for storing secrets securely.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS CodeBuild under Services.
In the CodeBuild Dashboard, select Build Projects.
For each CodeBuild project, check the Environment variables section.
Plaintext Variables: If sensitive information is found, it should be replaced with references to secure storage (e.g., AWS Secrets Manager or Systems Manager Parameter Store).
Ensure that secrets are not listed directly in the environment variables.
Using AWS CLI:
To list all CodeBuild projects, run:
aws codebuild list-projects --query 'projects
For each project, retrieve the environment variables using:
aws codebuild batch-get-projects --names <project-name> --query 'projects[*].environment.environmentVariables'
Review the output to ensure that secrets are not listed in plaintext. If plaintext secrets are found, replace them with references to AWS Secrets Manager or Systems Manager Parameter Store.
Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console and navigate to AWS CodeBuild.
Select Build Projects and choose the project to update.
Under Environment, check the Environment variables section:
If plaintext secrets are present, replace them with references to AWS Secrets Manager or Systems Manager Parameter Store.
For example, use the following syntax for secrets:
For AWS Secrets Manager:
{
"name": "MY_SECRET_KEY",
"value": "{{resolve:secretsmanager:my-secret-id:SecretString:password}}"
}For Systems Manager Parameter Store:
{
"name": "MY_SECRET_KEY",
"value": "{{resolve:ssm:my-parameter-name:1}}"
}Save the changes to ensure that secrets are stored securely and are no longer exposed in plaintext in the environment variables.
Using AWS CLI:
To modify a CodeBuild project to use AWS Secrets Manager or Systems Manager Parameter Store for environment variables, run the following:
Using Secrets Manager:
aws codebuild update-project --name <project-name> --environment "type=LINUX_CONTAINER,environmentVariables=[{name=MY_SECRET_KEY,value={{resolve:secretsmanager:my-secret-id:SecretString:password}}}]"Using Systems Manager Parameter Store:
aws codebuild update-project --name <project-name> --environment "type=LINUX_CONTAINER,environmentVariables=[{name=MY_SECRET_KEY,value={{resolve:ssm:my-parameter-name:1}}}]"Verify the update was successful by running:
aws codebuild batch-get-projects --names <project-name> --query 'projects[*].environment.environmentVariables'
Backout Plan:
Using AWS Console:
If enabling secret management causes issues, sign in to the AWS Management Console.
Navigate to AWS CodeBuild and select the User Pool.
Under Environment Variables, revert the changes to store sensitive data in plaintext.
Save the changes.
Using AWS CLI:
To revert the environment variables back to plaintext, run the following command:
aws codebuild update-project --name <PROJECT_NAME> --environment "environmentVariables=[{name=<SECRET_NAME>,value=<SECRET_VALUE>,type=PLAINTEXT}]" --region <REGION>Verify that the environment variables are correctly configured by describing the CodeBuild Project again:
aws codebuild batch-get-projects --names <PROJECT_NAME> --region <REGION>