CodeBuild project environment variables should not contain clear text credentials
Severity: Critical
Resource Types: AWS::CodeBuild::Project
Description
This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
Authentication credentials AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.
Remediation
To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
- Open the CodeBuild console.
- Expand
Build
. - Choose
Build project
, and then choose the build project that contains plaintext credentials. - From
Edit
, chooseEnvironment
. - Expand
Additional configuration
. - Choose
Remove
next to the environment variables. - Choose
Update environment
.
To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
- Open the CodeBuild console.
- Expand
Build
. - Choose
Build project
, and then choose the build project that contains plaintext credentials. - From
Edit
, chooseEnvironment
. - Expand
Additional configuration
and scroll toEnvironment variables
. - Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
- After you create the parameter, copy the parameter name.
- Back in the CodeBuild console, choose
Create environmental variable
. - Enter the name of your variable as it appears in your build spec.
- For
Value
, paste the name of your parameter. - For
Type
, chooseParameter
. - To remove your noncompliant environmental variable that contains plaintext credentials, choose
Remove
. - Choose
Update environment
.