Rule: CodeBuild Project Plaintext Environment Variables
This rule ensures sensitive AWS values are not in plaintext environment variables within CodeBuild projects.
| Rule | CodeBuild project plaintext environment variables should not contain sensitive AWS values |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Critical |
Compliance Rule: AWS CodeBuild Environment Variables Security
Description
The rule stipulates that plaintext environment variables within AWS CodeBuild projects should not contain sensitive AWS credentials. This is in alignment with the NIST Cybersecurity Framework (CSF) version 1 which aims to maintain the confidentiality, integrity, and availability of information systems. Mismanagement of credentials can result in unauthorized access and potential security breaches.
Troubleshooting
Steps for Identifying Non-Compliant Resources
- 1.Log into the AWS Management Console.
- 2.Navigate to the AWS CodeBuild service.
- 3.Review the environment variables for each CodeBuild project to identify any containing sensitive AWS credentials.
- 4.Verify whether AWS Key Management Service (KMS) is used for variable encryption.
Remediation Steps
Manual Remediation
- 1.Access the AWS CodeBuild Console.
- 2.Select the non-compliant CodeBuild project.
- 3.Click on "Edit" for the project's environment.
- 4.Remove or secure sensitive AWS credentials from the plaintext environment variables.
- Replace plaintext credentials with references to parameter store or AWS Secrets Manager.
- 5.Save the updated environment configuration.
Automated Remediation
- 1.
Use AWS CLI to list all CodeBuild projects:
aws codebuild list-projects - 2.
Describe the environment variables for each project:
aws codebuild batch-get-projects --names "project-name" - 3.
Write a script to check each environment variable for sensitive data patterns:
#!/bin/bash PROJECTS=$(aws codebuild list-projects --output text --query 'projects') for project in $PROJECTS; do ENV_VARS=$(aws codebuild batch-get-projects --names "$project" --query 'projects[*].environment.environmentVariables' --output text) # Pattern check for sensitive data like access keys, secret keys, etc. # Handle detection and rewrite the environment variables accordingly done - 4.
Update the environment variables using AWS CLI:
aws codebuild update-project --name "project-name" --environment "type=ENVIRONMENT_TYPE,environmentVariables=[{name=VARIABLE_NAME,value=NEW_VALUE, type=PLAINTEXT}]"
Automation Code
Using an AWS Lambda function triggered by AWS Config Rule:
import boto3
import json
def lambda_handler(event, context):
codebuild = boto3.client('codebuild')
projects_response = codebuild.list_projects()
projects = projects_response['projects']
for project in projects:
project_info = codebuild.batch_get_projects(names=[project])
env_variables = project_info['projects'][0]['environment']['environmentVariables']
for variable in env_variables:
# Check if the variable value looks like a sensitive AWS value and take necessary action
if 'aws_access_key_id' in variable['value'] or 'aws_secret_access_key' in variable['value']:
# Logic to handle sensitive data exposure
pass
return {'statusCode': 200, 'body': json.dumps('Check Complete')}
Conclusion
Ensuring that plaintext environment variables in AWS CodeBuild do not contain sensitive AWS values is critical. By incorporating the described manual and automated steps into operational practices, organizations can enhance their security posture and align with NIST CSF guidelines. Violating this rule can expose sensitive data and compromise the security of the AWS environment.
While enhanced security often leads to improved SEO by fostering user trust, remember that directly modifying the technology infrastructure for the sole purpose of SEO is not standard practice. Optimize for security and compliance first, and the positive effects on SEO should follow naturally.