Rule: CodeBuild Project Plaintext Environment Variables
This rule ensures sensitive AWS values are not included in plaintext environment variables for CodeBuild projects.
| Rule | CodeBuild project plaintext environment variables should not contain sensitive AWS values |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
CodeBuild Project Plaintext Environment Variables Security Rule
Description of the Rule
When using AWS CodeBuild for continuous integration and continuous delivery (CI/CD) workflows, it's imperative to handle sensitive information, such as AWS credentials and other secrets, with strict security measures. As a best practice, sensitive AWS values, such as access keys, secret keys, and session tokens, should not be stored in plaintext within environment variables of your CodeBuild projects. This is crucial for maintaining the security of your AWS resources.
To comply with the CISA (Cybersecurity & Infrastructure Security Agency) cyber essentials, environment variables in CodeBuild projects that contain sensitive information should be encrypted using AWS Key Management Service (KMS) or be stored and retrieved securely using AWS Secrets Manager or AWS Systems Manager Parameter Store.
Storing sensitive values in plaintext can lead to unauthorized access and potentially compromise your AWS account and associated resources.
Troubleshooting Steps
If you suspect that your CodeBuild project contains plaintext sensitive AWS values:
- 1.Inspect the project's environment variables to verify if sensitive information is present in plaintext.
- 2.Check the build logs for inadvertent exposure of sensitive data.
- 3.Audit the access policies and IAM roles associated with CodeBuild and the KMS keys to ensure they follow the principle of least privilege.
Remediation Steps
Here is a step-by-step guide for remediating plaintext environment variables in a CodeBuild project that contain sensitive AWS values.
Step 1: Identify Sensitive Data in Plaintext
Examine your CodeBuild project environment variables for any sensitive AWS values.
Step 2: Store Sensitive Data Securely
Securely store your sensitive data using AWS Secrets Manager or AWS Systems Manager Parameter Store.
AWS Secrets Manager:
aws secretsmanager create-secret --name MySecretName --secret-string {"MySecretKey":"MySecretValue"}
AWS Systems Manager Parameter Store:
aws ssm put-parameter --name "MyParameterName" --type "SecureString" --value "MySecureValue" --overwrite
Step 3: Modify CodeBuild Project to Use Secure Storage
Update your CodeBuild project to reference the secure storage method chosen above for sensitive variables.
AWS Secrets Manager Example:
aws codebuild update-project --name "MyProjectName" --environment "environmentVariables=[{\"name\":\"MY_SECRET_ENV_VAR\",\"type\":\"SECRETS_MANAGER\",\"value\":\"MySecretName\"}]"
AWS Systems Manager Parameter Store Example:
aws codebuild update-project --name "MyProjectName" --environment "environmentVariables=[{\"name\":\"MY_SECURE_PARAM\",\"type\":\"PARAMETER_STORE\",\"value\":\"MyParameterName\"}]"
Step 4: Validate the Configuration
Ensure that the CodeBuild project is now using the secure method for accessing sensitive data and that there is no plaintext sensitive data in environment variables.
Step 5: Monitor and Rotate Secrets
Regularly rotate secrets and credentials, monitor their access, and audit usage as part of a comprehensive secret management practice.
Necessary Codes
AWS CLI Commands
- To list environment variables for a CodeBuild project:
aws codebuild batch-get-projects --names "MyProjectName" --query "projects[].environment.environmentVariables"
- To update the project with references to Secrets Manager or Parameter Store:
# For AWS Secrets Manager aws codebuild update-project --name "MyProjectName" --environment "environmentVariables=[{\"name\":\"MY_SECRET_ENV_VAR\",\"type\":\"SECRETS_MANAGER\",\"value\":\"MySecretName\"}]" # For AWS Systems Manager Parameter Store aws codebuild update-project --name "MyProjectName" --environment "environmentVariables=[{\"name\":\"MY_SECURE_PARAM\",\"type\":\"PARAMETER_STORE\",\"value\":\"MyParameterName\"}]"
Additional Notes
- Remember to revise your CI/CD pipeline IAM policies to grant the necessary permissions to access Secrets Manager or Parameter Store.
- Use AWS CloudTrail to monitor for any unauthorized access or changes to your environment variables.
- Continuously audit your environment variables and AWS resource configurations with AWS Config.
Following these comprehensive steps will help ensure that your CodeBuild projects align with CISA's cyber essentials by securely managing sensitive values and will improve the overall security posture of your CI/CD pipeline.