Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 2 CodeBuild project environment variables should not contain clear text credentials

Description

This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.

Remediation

To remediate this issue, update your CodeBuild project to remove the environment variable.

To remove environment variables from a CodeBuild project

  1. Open the CodeBuild console.
  2. Expand Build.
  3. Choose Build project, and then choose the build project that contains plaintext credentials.
  4. From Edit, choose Environment.
  5. Expand Additional configuration.
  6. Choose Remove next to the environment variables.
  7. Choose Update environment.

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec

  1. Open the CodeBuild console.
  2. Expand Build.
  3. Choose Build project, and then choose the build project that contains plaintext credentials.
  4. From Edit, choose Environment.
  5. Expand Additional configuration and scroll to Environment variables.
  6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
  7. After you create the parameter, copy the parameter name.
  8. Back in the CodeBuild console, choose Create environmental variable.
  9. Enter the name of your variable as it appears in your build spec.
  10. For Value, paste the name of your parameter.
  11. For Type, choose Parameter.
  12. To remove your noncompliant environmental variable that contains plaintext credentials, choose Remove.
  13. Choose Update environment.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_codebuild_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_codebuild_2 --share

SQL

This control uses a named query:

with invalid_key_name as (
  select
    distinct arn,
    name
  from
    aws_codebuild_project,
    jsonb_array_elements(environment -> 'EnvironmentVariables') as env
  where
    env ->> 'Name' ilike any(array['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%'])
    and env ->> 'Type' = 'PLAINTEXT'
)
select
  a.arn as resource,
  case
    when b.arn is null then 'ok'
    else 'alarm'
  end as status,
  case
    when b.arn is null then a.title || ' has no plaintext environment variables with sensitive AWS values.'
    else a.title || ' has plaintext environment variables with sensitive AWS values.'
  end as reason
  
  , a.region, a.account_id
from
  aws_codebuild_project as a
  left join invalid_key_name b on a.arn = b.arn;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_development
foundational_security_item_id = codebuild_2
plugin = aws
service = AWS/CodeBuild