Profile Applicability:

  • Level 1

Description:

Amazon CodeBuild stores build logs in Amazon S3 by default. These logs can contain sensitive information, such as environment variables, build outputs, and error messages. To protect this data, it is essential that CodeBuild logs stored in S3 are encrypted at rest. This SOP ensures that the S3 bucket used by CodeBuild for storing logs has encryption at rest enabled, using either AWS-managed keys (SSE-S3) or customer-managed keys (SSE-KMS).

Rationale:

  • Data Protection: Encryption at rest ensures that sensitive information in build logs is protected from unauthorized access or breaches.

  • Compliance: Many industry standards, such as HIPAA, PCI-DSS, and SOC 2, require data at rest to be encrypted, particularly for logs containing potentially sensitive information.

  • Security Best Practices: Ensuring that all logs are encrypted at rest prevents unauthorized parties from accessing build data if they gain access to the S3 bucket.

Impact:

Pros:

  • Enhanced Security: Ensures that sensitive data in CodeBuild logs is secure and protected from unauthorized access.

  • Compliance: Helps meet the encryption requirements of various compliance frameworks.

  • Data Integrity: Provides assurance that the logs are not altered by unauthorized entities.

Cons:

  • Cost: Using AWS KMS for customer-managed encryption keys may incur additional costs for key management.

  • Performance Impact: There may be minimal performance overhead associated with encryption at rest, although it’s typically negligible.

Default Value:

By default, CodeBuild logs are not encrypted at rest unless configured during the creation of the S3 bucket or modified afterward.

Pre-requisite:

  • AWS IAM Permissions:

    • s3:PutBucketEncryption

    • s3:GetBucketEncryption

    • s3:PutObject

    • s3:PutBucketPolicy

    • kms:Encrypt (if using SSE-KMS)

  • AWS CLI installed and configured.

  • Ensure that the S3 bucket used by CodeBuild is correctly configured for encryption at rest, either using SSE-S3 (AWS-managed keys) or SSE-KMS (customer-managed keys).

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon S3 under Services.

  3. In the S3 Dashboard, locate and select the S3 bucket used by CodeBuild to store logs.

  4. Under the Properties tab, scroll to the Default encryption section.

  5. Verify that Server-side encryption is enabled.

    • If SSE-S3 is selected, AWS-managed encryption keys are used.

    • If SSE-KMS is selected, KMS keys are used for encryption at rest.

  6. If encryption is not enabled, enable it by selecting the appropriate encryption method.

Using AWS CLI:

  1. To check if encryption at rest is enabled for the S3 bucket, run:

    aws s3api get-bucket-encryption --bucket <bucket-name> --query 'ServerSideEncryptionConfiguration'

  2. Review the output:

  • If SSE-S3 or SSE-KMS is listed under ServerSideEncryptionConfiguration, encryption is enabled.

  • If no encryption configuration is returned, encryption is not enabled.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon S3.

  2. In the S3 Dashboard, locate and select the S3 bucket used by CodeBuild.

  3. Under the Properties tab, scroll to the Default encryption section.

  4. If encryption is not enabled:

    • Select Enable for Default encryption.

    • Choose either SSE-S3 (default AWS-managed encryption) or SSE-KMS (for customer-managed keys).

    • If using SSE-KMS, choose the appropriate KMS key from the list or create a new one.

  5. Save the changes to ensure encryption at rest is enabled for the bucket.

Using AWS CLI:

  1. To enable encryption for the S3 bucket, run:

    aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{
    "Rules": [
      {
        "ApplyServerSideEncryptionByDefault": {
          "SSEAlgorithm": "AES256"  # For SSE-S3 (AWS Managed Keys)
        }
      }
    ]
  }'

  1.  OR for SSE-KMS:

    aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{
    "Rules": [
      {
        "ApplyServerSideEncryptionByDefault": {
          "SSEAlgorithm": "aws:kms", 
          "KMSMasterKeyID": "<kms-key-id>"
        }
      }
    ]
  }'

  1. To verify encryption is enabled, run:

    aws s3api get-bucket-encryption --bucket <bucket-name> --query 'ServerSideEncryptionConfiguration'

Backout Plan:

Using AWS Console:

  1. If encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Properties tab.

  3. Under Default encryption, change the encryption method or disable encryption if necessary.

  4. Save the changes and monitor to ensure logs are no longer encrypted or use a different encryption method.

Using AWS CLI:

  1. To disable encryption or switch encryption keys, run:

    aws s3api put-bucket-encryption --bucket <BUCKET_NAME> --server-side-encryption-configuration '{
  "Rules": [
    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "AES256"
      }
    }
  ]
}'

  1. Verify that the encryption settings have been reverted:

    aws s3api get-bucket-encryption --bucket <BUCKET_NAME>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.