This rule ensures sensitive AWS values are not in plaintext environment variables for CodeBuild projects.
Rule | CodeBuild project plaintext environment variables should not contain sensitive AWS values |
Framework | FedRAMP Low Revision 4 |
Severity | ✔ Critical |
Rule Description:
This rule ensures that CodeBuild project environment variables do not contain sensitive AWS values. It is specifically applicable to CodeBuild projects within an environment that adheres to the FedRAMP Low framework, Revision 4.
Troubleshooting Steps:
Remediation:
To remediate the issue and comply with the policy, follow these steps:
CLI Command:
You can also remediate the issue using the AWS Command Line Interface (CLI) by following the steps below:
aws codebuild update-project --name <project-name> --environment-variables-override <variable-name>=<new-value> ...
Replace
<project-name>
with the name of the CodeBuild project that violates the policy.
Replace <variable-name>
with the name of the environment variable that contains sensitive AWS values.
Replace <new-value>
with the updated value or an appropriate alternative.Compliance:
To ensure ongoing compliance with the policy, it is recommended to periodically review CodeBuild project configurations and environment variables for any sensitive AWS values. Additionally, consider implementing automated checks or scripting to enforce compliance during CI/CD pipelines. Regular auditing and monitoring can help maintain a secure and compliant CodeBuild environment.