v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 3 CodeBuild S3 logs should be encrypted

Description

This control checks if Amazon S3 logs for an AWS CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project.

Encryption of data at rest is a recommended best practice to add a layer of access management around your data. Encrypting the logs at rest reduces the risk that a user not authenticated by AWS will access the data stored on disk. It adds another set of access controls to limit the ability of unauthorized users to access the data.

Remediation

To change the encryption settings for CodeBuild project S3 logs, see Change a build project's settings in AWS CodeBuild in the AWS CodeBuild User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_codebuild_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_codebuild_3 --share

SQL

This control uses a named query:

codebuild_project_s3_logs_encryption_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = codebuild_3
plugin = aws
service = AWS/CodeBuild