Control: CodeBuild project artifact encryption should be enabled
Description
This control checks if a CodeBuild project has encryption enabled for all of its artifacts. The rule is non-compliant if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.codebuild_project_artifact_encryption_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.codebuild_project_artifact_encryption_enabled --shareSQL
This control uses a named query:
with secondary_artifact as ( select distinct arn from aws_codebuild_project, jsonb_array_elements(secondary_artifacts) as a where a -> 'EncryptionDisabled' = 'true')select a.arn as resource, case when p.artifacts ->> 'EncryptionDisabled' = 'false' and (p.secondary_artifacts is null or a.arn is null) then 'ok' else 'alarm' end as status, case when p.artifacts ->> 'EncryptionDisabled' = 'false' and (p.secondary_artifacts is null or a.arn is null) then p.title || ' all artifacts encryption enabled.' else p.title || ' all artifacts encryption not enabled.' end as reason , p.region, p.account_idfrom aws_codebuild_project as p left join secondary_artifact as a on a.arn = p.arn;