🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-aws-compliance
Overview
69Dashboards
357Benchmarks
357Queries
2Variables
GitHub

Control: CodeBuild project plaintext environment variables should not contain sensitive AWS values

Description

Ensure authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY do not exist within AWS CodeBuild project environments. Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values --share

SQL

This control uses a named query:

with codebuild_projects as (
  select
    *
  from
    terraform_resource
  where
    type = 'aws_codebuild_project'
), invalid_key_name as (
    select
      distinct address
    from
      codebuild_projects,
      jsonb_array_elements(
        case jsonb_typeof( attributes_std -> 'environment' -> 'environment_variable')
          when 'array' then (attributes_std -> 'environment' -> 'environment_variable')
          else null end
      ) as env
    where
      env ->> 'name' ilike any (ARRAY['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%'])
      and env ->> 'type' = 'PLAINTEXT'
)
select
  a.address as resource,
  case
    when b.address is not null
    or ((attributes_std -> 'environment' -> 'environment_variable' ->> 'name' ilike any (ARRAY['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%'])) and attributes_std -> 'environment' -> 'environment_variable' ->> 'type' = 'PLAINTEXT') then 'alarm'
    else 'ok'
  end status,
  split_part(a.address, '.', 2) || case
    when b.address is not null
    or ((attributes_std -> 'environment' -> 'environment_variable' ->> 'name' ilike any (ARRAY['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%'])) and attributes_std -> 'environment' -> 'environment_variable' ->> 'type' = 'PLAINTEXT') then ' has plaintext environment variables with sensitive AWS values'
    else ' has no plaintext environment variables with sensitive AWS values'
  end || '.' reason
  
  , path || ':' || start_line
from
  codebuild_projects as a
  left join invalid_key_name as b on a.address = b.address;

Tags

aws_foundational_security = true
category = Compliance
hipaa = true
nist_800_53_rev_4 = true
nist_csf = true
pci = true
plugin = terraform
service = AWS/CodeBuild
soc_2 = true