lacework-global-379
CodeBuild project environment variables should not contain clear text credentials (Automated)
Description
The policy checks whether the CodeBuild project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
You should not store AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in clear text, as they can lead to unintended data exposure and unauthorized access if not properly encrypted.
Remediation
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Developer Tools > CodeBuild.
- Select the applicable project.
- Click Edit.
- Under Environment, click Addition configuration to expand the sub menu.
- Under Environment variables, remove any variables named AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY.
- Click Update project.
From CLI:
First, get the existing project information:
aws codebuild batch-get-projects --names <project_name> > <json_file_name>.json
Open the json file in a text editor and remove any references to AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY from the environment block of the project and save.
Finally, run the update-project command:
aws codebuild update-project --cli-input-json file://<json_file_name>.json
References
https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-2
https://docs.aws.amazon.com/codebuild/latest/userguide/change-project-cli.html