CodeBuild project environments should have a logging AWS Configuration
Severity: Medium
Resource Types: AWS::CodeBuild::Project
Description
This control checks whether a CodeBuild project environment has at least one log option, either to S3 or CloudWatch logs enabled. This control fails if a CodeBuild project environment does not have at least one log option enabled.
From a security perspective, logging is an important feature to enable for future forensics efforts in the case of any security incidents. Correlating anomalies in CodeBuild projects with threat detections can increase confidence in the accuracy of those threat detections.
Remediation
For more information on how to configure CodeBuild project log settings, see Create a build project (console) in the CodeBuild User Guide.