Rule: CodeBuild Project Plaintext Environment Variables No Sensitive AWS Values
This rule ensures CodeBuild projects do not contain sensitive AWS values in plaintext environment variables.
| Rule | CodeBuild project plaintext environment variables should not contain sensitive AWS values |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Critical |
Rule Description:
This rule ensures that CodeBuild project plaintext environment variables do not contain sensitive AWS values, in alignment with NIST 800-53 Revision 4 guidelines. Plaintext environment variables containing sensitive AWS values can potentially expose critical information to unauthorized individuals, leading to security breaches and unauthorized access to AWS resources.
Troubleshooting Steps:
- 1.Identify the CodeBuild project(s) that are violating this rule by reviewing their environment variables configuration.
- 2.Check if any plaintext environment variables contain sensitive AWS values, such as access keys, secret keys, or other sensitive authentication information.
Remediation Steps:
- 1.
Open the AWS Management Console and navigate to the CodeBuild service.
- 2.
Select the CodeBuild project that violates the rule.
- 3.
In the project settings, locate the "Environment" section.
- 4.
Review the environment variables and identify any plaintext variables containing sensitive AWS values.
- 5.
Replace the sensitive AWS values with secure alternatives. This can be done using AWS Secrets Manager or AWS Systems Manager Parameter Store.
- 6.
Using AWS Secrets Manager:
- Open the AWS Secrets Manager service in the AWS Management Console.
- Create a new secret for each sensitive AWS value that needs to be stored securely.
- Store the sensitive value as a secret in AWS Secrets Manager.
- Copy the ARN (Amazon Resource Name) of the created secret.
- Go back to the CodeBuild project settings.
- Delete the plaintext environment variable containing the sensitive AWS value.
- Add a new environment variable and provide the key-value pair.
- Set the "Value" field to the ARN of the respective secret stored in AWS Secrets Manager.
- Save the changes.
- 7.
Using AWS Systems Manager Parameter Store:
- Open the AWS Systems Manager service in the AWS Management Console.
- Create a new parameter for each sensitive AWS value that needs to be stored securely.
- Store the sensitive value as a parameter in AWS Systems Manager Parameter Store.
- Copy the ARN (Amazon Resource Name) of the created parameter.
- Go back to the CodeBuild project settings.
- Delete the plaintext environment variable containing the sensitive AWS value.
- Add a new environment variable and provide the key-value pair.
- Set the "Value" field to the ARN of the respective parameter stored in AWS Systems Manager Parameter Store.
- Save the changes.
- 8.
Repeat steps 4 to 7 for each plaintext environment variable containing sensitive AWS values in the CodeBuild project.
- 9.
Test the CodeBuild project to ensure it functions correctly with the updated secure environment variables.
Note: It is essential to follow AWS security best practices when storing sensitive information and ensure proper access control and encryption measures are in place.