Skip to main content

lacework-global-379

CodeBuild project environment variables should not contain clear text credentials (Automated)

Description

The policy checks whether the CodeBuild project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

You should not store AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in clear text, as they can lead to unintended data exposure and unauthorized access if not properly encrypted.

Remediation

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Developer Tools > CodeBuild.
  4. Select the applicable project.
  5. Click Edit.
  6. Under Environment, click Addition configuration to expand the sub menu.
  7. Under Environment variables, remove any variables named AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY.
  8. Click Update project.

From CLI:

First, get the existing project information:

aws codebuild batch-get-projects --names <project_name> > <json_file_name>.json

Open the json file in a text editor and remove any references to AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY from the environment block of the project and save.

Finally, run the update-project command:

aws codebuild update-project --cli-input-json file://<json_file_name>.json

References

https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-2
https://docs.aws.amazon.com/codebuild/latest/userguide/change-project-cli.html

Last updated on