Rule: CodeBuild Project Plaintext Environment Variables
This rule ensures sensitive AWS values are not in plaintext environment variables.
| Rule | CodeBuild project plaintext environment variables should not contain sensitive AWS values |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
Ensuring AWS CodeBuild Project Environment Variables are Secure for FedRAMP Moderate Revision 4 Compliance
Sensitive information, such as AWS credentials, must be handled securely to comply with the Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4 guidelines. In AWS CodeBuild projects, it is important to avoid storing sensitive data in plaintext environment variables. Below is a rule description, troubleshooting methods, remediation procedures, and necessary commands for maintaining compliance.
Description of the Rule
AWS CodeBuild allows users to set environment variables which can be accessed by build scripts during the build process. FedRAMP Moderate Revision 4 has specific requirements for the handling of sensitive information, and as per these guidelines, any sensitive AWS credential information should never be stored in plaintext in CodeBuild project environment variables. If any AWS values that are sensitive are detected in plaintext, it raises security concerns and violates the compliance.
Troubleshooting Steps
To troubleshoot if any AWS CodeBuild projects are violating this compliance rule, you can check each project’s environment variables using the AWS Management Console, AWS CLI, or AWS SDKs.
Using AWS Management Console:
- 1.Go to the AWS CodeBuild console.
- 2.Select the build project you wish to inspect.
- 3.Under the 'Environment' section, review the environment variables set for any sensitive data in plaintext.
Using AWS CLI:
Run the following command to list all environment variables for a specific CodeBuild project:
aws codebuild batch-get-projects --names "project-name" --query "projects[].environment.environmentVariables"
Using AWS SDKs:
Refer to the language-specific AWS SDK documentation to retrieve and inspect environment variables for CodeBuild projects.
Remediation Steps
If you identify any plaintext sensitive values, following these remediation steps will help ensure the project is compliant with FedRAMP Moderate Revision 4.
- 1.
Identify alternative mechanisms for securing sensitive information. AWS recommends using Parameter Store or Secrets Manager.
- 2.
Remove any sensitive AWS values from plaintext environment variables.
- 3.
Use AWS Key Management Service (KMS) to encrypt sensitive data.
Update Environment Variables Using AWS CLI:
First, remove the sensitive plaintext environment variables:
aws codebuild update-project --name "project-name" --environment "environmentVariables=[{name=NON_SENSITIVE_VARIABLE,value=VALUE},{...}]"
Next, securely store sensitive values in either AWS Systems Manager Parameter Store or AWS Secrets Manager.
Using Parameter Store:
aws ssm put-parameter --name "/codebuild/project-name/secret" --value "SENSITIVE_VALUE" --type "SecureString"
Using Secrets Manager:
aws secretsmanager create-secret --name "codebuild/project-name/secret" --secret-string "SENSITIVE_VALUE"
Lastly, modify the CodeBuild project to reference these secure storage methods.
Adding Parameter Store Variable in CodeBuild Project:
aws codebuild update-project --name "project-name" --environment "environmentVariables=[{name='PARAMETER_STORE_VARIABLE',value='/codebuild/project-name/secret',type='PARAMETER_STORE'}]"
Adding Secrets Manager Variable in CodeBuild Project:
aws codebuild update-project --name "project-name" --environment "environmentVariables=[{name='SECRETS_MANAGER_VARIABLE',value='codebuild/project-name/secret',type='SECRETS_MANAGER'}]"
Conclusion
Maintaining FedRAMP Moderate Revision 4 compliance requires vigilance and proper management of sensitive information. By never storing sensitive AWS values in plaintext within CodeBuild project environment variables, and instead utilizing secure storage solutions like AWS SSM Parameter Store or AWS Secrets Manager, you can ensure that the risk of credential exposure is substantially minimized. Following these detailed steps will help in achieving and maintaining compliance.