turbot/aws_compliance

Control: 3 CodeBuild S3 logs should be encrypted

Description

This control checks if Amazon S3 logs for an AWS CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project.

Encryption of data at rest is a recommended best practice to add a layer of access management around your data. Encrypting the logs at rest reduces the risk that a user not authenticated by AWS will access the data stored on disk. It adds another set of access controls to limit the ability of unauthorized users to access the data.

Remediation

To change the encryption settings for CodeBuild project S3 logs, see Change a build project's settings in AWS CodeBuild in the AWS CodeBuild User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_codebuild_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_codebuild_3 --share

SQL

This control uses a named query:

codebuild_project_s3_logs_encryption_enabled

Tags