Profile Applicability:

  • Level 1

Description:

AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy. It is important to ensure that CodeBuild projects are actively used and invoked within a specified period, such as the last 90 days, to ensure they remain relevant and necessary. This SOP helps verify whether CodeBuild projects have been invoked in the past 90 days and whether they are actively contributing to the build process or should be archived or deleted.

Rationale:

  • Resource Optimization: Projects that have not been invoked in the past 90 days may no longer be needed. By identifying unused projects, resources can be optimized, and unnecessary costs can be reduced.

  • Security: Unused projects can potentially lead to security vulnerabilities, as they may contain outdated configurations, permissions, or dependencies. Ensuring they are not invoked helps mitigate such risks.

  • Operational Efficiency: Keeping only actively used CodeBuild projects simplifies resource management and reduces the risk of human error associated with unused projects.

Impact:

Pros:

  • Improved Resource Management: Identifying unused CodeBuild projects allows for the removal of obsolete resources, leading to more efficient use of resources.

  • Cost Savings: Reducing unused resources helps decrease unnecessary costs related to storage and build processing.

  • Security: Deleting unused projects minimizes the risk of potential security issues in abandoned configurations.

Cons:

  • Possible Data Loss: If a project that is important but inactive is deleted mistakenly, it could result in the loss of valuable historical build data.

  • Overhead: Reviewing and managing all CodeBuild projects to ensure they have been invoked in the last 90 days may take additional administrative effort.

Default Value:

By default, CodeBuild projects do not have an expiration or inactivity check, meaning they could remain in the system indefinitely unless manually reviewed.

Pre-requisite:

  • AWS IAM Permissions:

    • codebuild:ListProjects

    • codebuild:BatchGetProjects

    • codebuild:ListBuildsForProject

    • cloudwatch:DescribeAlarms

  • AWS CLI installed and configured.

  • Ensure that you have appropriate permissions to list and manage CodeBuild projects.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS CodeBuild under Services.

  3. In the CodeBuild Dashboard, select Build projects.

  4. For each project, check the Build history to determine when the project was last invoked.

    • If a project has not been invoked in the last 90 days, consider archiving or deleting it.

Using AWS CLI:

  1. To list all CodeBuild projects, run:

    aws codebuild list-projects --query 'projects'

  2. For each project, check its build history by running:

    aws codebuild list-builds-for-project --project-name <project-name> --query 'ids'

  3. To check the time of the last build for each project, run:

    aws codebuild batch-get-builds --ids <build-id> --query 'builds[*].timestamp'

  4. Review the timestamp for the last build. If the project has not been invoked in the last 90 days, consider taking action to either archive or delete the project.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to CodeBuild.

  2. In the CodeBuild Dashboard, select Build projects and review the last build timestamps for each project.

  3. For each project that has not been invoked in the last 90 days:

    • Delete the project if it is no longer needed.

    • Archive the project or move it to a repository for historical purposes if it may be needed in the future.

Using AWS CLI:

  1. To list CodeBuild projects:

    aws codebuild list-projects --query 'projects'

  2. For each project, retrieve its build history:

    aws codebuild list-builds-for-project --project-name <project-name> --query 'ids'

  3. For each build, retrieve the timestamp of the last invocation:

    aws codebuild batch-get-builds --ids <build-id> --query 'builds[*].timestamp'

  4. If a project has not been invoked in the last 90 days, consider deleting or archiving the project:

    aws codebuild delete-project --name <project-name>

Backout Plan:

Using AWS Console:

  1. If you mistakenly identify a project as inactive, navigate to AWS CodeBuild in the AWS Management Console.

  2. Select the CodeBuild Project.

  3. Review the Build History again to ensure the project is properly configured and activated.

  4. Re-enable scheduled builds or set up triggers to ensure the project is invoked regularly.

Using AWS CLI:

  1. If a project is incorrectly marked as inactive, list the builds for the project:

    aws codebuild list-builds-for-project --project-name <PROJECT_NAME> --region <REGION>

  2. Check the build logs to verify the project's status and invocation history.

  3. Modify the project configuration to enable regular build invocations if needed.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.