Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CodeBuild Project Plaintext Environment Variables

This rule ensures sensitive AWS values are not stored in plaintext environment variables for CodeBuild projects.

RuleCodeBuild project plaintext environment variables should not contain sensitive AWS values
FrameworkFedRAMP Moderate Revision 4
Severity
Critical

Rule/Policy:

CodeBuild project plaintext environment variables should not contain sensitive AWS values for FedRAMP Moderate Revision 4.

Description:

In order to comply with the FedRAMP Moderate security requirement, CodeBuild projects should not store sensitive AWS values as plaintext environmental variables. Storing sensitive information, such as AWS access keys, secret keys, or other credentials, in plaintext can pose a security risk if unauthorized parties gain access to the environment or the code repository.

Troubleshooting Steps:

If this rule is violated, follow the troubleshooting steps below to identify and rectify the issue:

  1. 1.

    Review Environment Variables: Check the environment variables set for the CodeBuild project. Look for any variables that might contain sensitive AWS values stored in plaintext.

  2. 2.

    Identify Sensitive Values: Identify the environment variables that may contain sensitive information. These could be variables related to AWS credentials, API keys, or other authentication details.

  3. 3.

    Remove or Encrypt Sensitive Variables: Remove any plaintext environment variables that contain sensitive information. Alternatively, you can encrypt the values using AWS Key Management Service (KMS) and update the CodeBuild project to decrypt the values during runtime.

  4. 4.

    Use AWS Secrets Manager: Replace plaintext environment variables with secure parameters stored in AWS Secrets Manager. Secrets Manager provides a secure way to store and manage sensitive information such as API keys, tokens, and database credentials.

  5. 5.

    Update Access Control: Ensure that only authorized users and IAM roles have the necessary permissions to view or modify the environment variables of the CodeBuild project.

  6. 6.

    Ensure Secure CI/CD Pipelines: Review your CI/CD pipeline setup to make sure that sensitive values are not exposed or leaked at any stage, including code repositories or build artifacts.

Necessary Codes:

There might not be any specific codes to address this rule, as it primarily involves reviewing and modifying environment variables. However, if you choose to encrypt the sensitive values using KMS, you can refer to the AWS CLI commands below:

  1. 1.
    Create a new KMS key:
aws kms create-key --description "CodeBuild Encryption Key" --region <aws-region>
  1. 1.
    Encrypt the sensitive value using the KMS key:
aws kms encrypt --key-id <kms-key-id> --plaintext "<sensitive-value>" --query CiphertextBlob --output text --region <aws-region>
  1. 1.

    Update the CodeBuild project environment variable with the encrypted value.

  2. 2.

    Modify the CodeBuild project to include the necessary decryption logic during runtime.

Please note that the above commands provide a general reference and might need to be adapted to fit your specific environment and requirements.

Step-by-Step Guide for Remediation:

Follow the step-by-step guide below to remediate the non-compliance issue:

  1. 1.

    Identify and Review CodeBuild Project: Identify the CodeBuild project that is violating the rule.

  2. 2.

    Access Environment Variables: Access the CodeBuild project configuration and locate the environment variables section.

  3. 3.

    Identify Sensitive Variables: Identify any environment variables that may contain sensitive AWS values.

  4. 4.

    Remove Plaintext Variables: Remove any plaintext environment variables that include sensitive information. Replace them with secure alternatives such as AWS Secrets Manager or encrypted values.

  5. 5.

    Use AWS Secrets Manager: If applicable, set up AWS Secrets Manager to store sensitive information securely and update the CodeBuild project to retrieve values from Secrets Manager at runtime.

  6. 6.

    Update Access Control: Review and update the access control settings to ensure that only authorized users and roles have permission to view or modify the environment variables.

  7. 7.

    Validate Changes: Test the updated CodeBuild project to ensure it functions correctly with the new configuration.

  8. 8.

    Monitor and Review: Regularly review the CodeBuild project and its environment variables to ensure compliance with the rule and to detect any new instances of storing sensitive AWS values as plaintext.

By following this step-by-step guide, you can ensure that your CodeBuild projects comply with the required security standards and mitigate the risk of unauthorized access to sensitive information.

Is your System Free of Underlying Vulnerabilities?
Find Out Now