Profile Applicability:

  • Level 1

Description:

Amazon CodeBuild allows you to create report groups to track and manage the results of your builds. Report groups can include test results, code coverage, and other build metrics. For data protection, it is crucial that CodeBuild report group exports are encrypted at rest. This ensures that all build-related data, such as reports and logs, are securely stored and meet compliance and security requirements.

Rationale:

  • Data Protection: Encrypting report group exports ensures that sensitive build and test data is protected from unauthorized access.

  • Compliance: Many regulatory frameworks (e.g., HIPAA, PCI-DSS) require data to be encrypted at rest to prevent unauthorized access to sensitive information.

  • Security: By encrypting the reports, you ensure that any sensitive or proprietary code and build outputs are safeguarded, reducing the risk of data exposure.

Impact:

Pros:

  • Improved Security: Encrypting CodeBuild report exports ensures that sensitive data is protected both during transmission and at rest.

  • Compliance Assurance: Encrypting at rest helps you meet compliance requirements such as HIPAA and PCI-DSS.

  • Data Integrity: Reduces the risk of unauthorized changes to reports and build data.

Cons:

  • Performance Impact: Encrypting data at rest can introduce a slight overhead when reading and writing data, but this is typically minimal.

  • Cost: Encryption adds minimal cost for using AWS KMS for managing encryption keys.

Default Value:

By default, CodeBuild report group exports are not encrypted unless explicitly configured. You need to ensure that encryption at rest is enabled when setting up the report group.

Pre-requisite:

  • AWS IAM Permissions:

    • codebuild:CreateReportGroup

    • codebuild:UpdateReportGroup

    • kms:Encrypt

    • kms:GenerateDataKey

  • AWS CLI installed and configured.

  • You must have the necessary permissions to configure AWS CodeBuild and AWS KMS for encryption at rest.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS CodeBuild under Services.

  3. In the CodeBuild Dashboard, select Report Groups.

  4. Choose the report group you want to check.

  5. Under the Encryption section, verify if Encryption at Rest is enabled.

    • If encryption is enabled, it will show the KMS Key used for encryption.

    • If encryption is not enabled, you will need to enable it during the modification of the report group.

Using AWS CLI:

  1. To check if encryption is enabled for a CodeBuild report group, run the following command:

    aws codebuild batch-get-report-groups --report-group-arn <report-group-arn> --query 'reportGroups[*].{ReportGroupName:name,EncryptionEnabled:encryptionEnabled}'

  2. Review the output:

  • If EncryptionEnabled is true, encryption is enabled for the report group.

  • If EncryptionEnabled is false, encryption is not enabled.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to AWS CodeBuild.

  2. In the CodeBuild Dashboard, select Report Groups and choose the report group you want to configure.

  3. Click Modify.

  4. Under the Encryption section, enable Encryption at Rest.

  5. Select the KMS key to use for encrypting the report exports.

  6. Click Save to apply the encryption settings.

Using AWS CLI:

  1. To enable encryption at rest for a CodeBuild report group, run:

    aws codebuild update-report-group --report-group-arn <report-group-arn> --encryption-enabled true --encryption-key <kms-key-id>

  2. To verify that encryption at rest is enabled, run:

    aws codebuild batch-get-report-groups --report-group-arn <report-group-arn> --query 'reportGroups[*].{ReportGroupName:name,EncryptionEnabled:encryptionEnabled}'

Backout Plan:

Using AWS Console:

  1. If enabling encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Properties tab.

  3. Under Default encryption, either disable encryption or select a different encryption method.

  4. Save the changes and monitor the exported reports to ensure that they are no longer encrypted or that the correct encryption method is applied.

Using AWS CLI:

  1. To disable KMS encryption or switch to another encryption key, run:

    aws s3api put-bucket-encryption --bucket <BUCKET_NAME> --server-side-encryption-configuration '{
  "Rules": [
    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "AES256"
      }
    }
  ]
}'

  1. Verify that the encryption settings have been updated:

    aws s3api get-bucket-encryption --bucket <BUCKET_NAME>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.