Rule: CodeBuild Project Plaintext Environment Variables
This rule ensures sensitive AWS values are not in plaintext environment variables.
| Rule | CodeBuild project plaintext environment variables should not contain sensitive AWS values |
| Framework | SOC 2 |
| Severity | ✔ Critical |
CodeBuild Project - Sensitive AWS Value Policy
Description
This policy ensures that AWS CodeBuild projects do not have plaintext environment variables containing sensitive AWS values. Storing sensitive AWS credentials or other sensitive information in plaintext environment variables can potentially lead to security breaches and non-compliance with SOC 2 requirements.
Remediation Steps
To remediate this issue, follow the steps outlined below:
- 1.Review the environment variables in the CodeBuild project configuration.
- 2.Identify any plaintext environment variables that contain sensitive AWS values.
- 3.Replace the plaintext environment variables with appropriate methods of securely storing sensitive information.
- 4.Ensure that the new method of storing sensitive information is compliant with SOC 2 requirements.
Troubleshooting Steps (if applicable)
If you encounter any issues during the remediation process, follow these troubleshooting steps:
- 1.Verify that the sensitive AWS values are indeed stored in plaintext environment variables. Double-check the CodeBuild project configuration.
- 2.Confirm if the AWS values need to be stored in environment variables or if there is an alternative method available.
- 3.Ensure that the new secure method implemented for storing sensitive information is properly configured and functioning correctly.
- 4.If the issue persists or you need further assistance, contact AWS Support for additional guidance.
Necessary Codes (if applicable)
If there are any necessary codes to implement the remediation, they will be specific to your use case and environment. Consider the following general guidelines:
- 1.Use AWS Secrets Manager or AWS Parameter Store to securely store sensitive AWS values.
- 2.Update the CodeBuild project configuration to retrieve these values from Secrets Manager or Parameter Store during the build process.
- 3.Update the build scripts or code to incorporate the retrieved values from Secrets Manager or Parameter Store.
Step-by-Step Guide for Remediation
Step 1: Review CodeBuild project configuration
- 1.Log in to the AWS Management Console.
- 2.Navigate to the CodeBuild service.
Step 2: Identify plaintext environment variables
- 1.Access the CodeBuild project configuration.
- 2.Review the environment variables section.
- 3.Identify any plaintext environment variables that contain sensitive AWS values.
Step 3: Replace plaintext environment variables
- 1.Determine the most appropriate method for securely storing sensitive AWS values.
- 2.Consider using AWS Secrets Manager or AWS Parameter Store to securely store the sensitive information.
- 3.Store the sensitive AWS values in the chosen secure storage method.
- 4.Update the CodeBuild project configuration to retrieve the values from the secure storage method.
Step 4: Validate the new implementation
- 1.Start a new build for the CodeBuild project.
- 2.Monitor the build logs and ensure that the sensitive AWS values are properly retrieved from the secure storage method.
- 3.Verify that the build process completes successfully without any unauthorized exposure of sensitive information.
Step 5: SOC 2 Compliance
- 1.Review the SOC 2 compliance requirements.
- 2.Ensure that the new method of storing sensitive AWS values complies with SOC 2 requirements.
- 3.Document the changes made and update any necessary documentation related to SOC 2 compliance.
Note: This guide provides general steps for remediation. In your specific environment, consider any additional requirements or constraints that may exist.