More Info:

This rule checks AWS CodeBuild projects for environment variables that contain plaintext AWS credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY). Storing AWS credentials in plaintext within environment variables poses a significant security risk, as it can lead to unauthorized access if the credentials are exposed. It is recommended to use IAM roles or encrypted secrets management services like AWS Secrets Manager to handle credentials securely.

Risk Level

High

Address

Security

Compliance Standards

CBP

Remediation

Using Console

  1. Go to the AWS CodeBuild console.
  2. Navigate to “Build projects”.
  3. Select the CodeBuild project where credentials are stored in plaintext.
  4. Click on “Edit”.
  5. Navigate to the “Environment” section.
  6. Find the environment variable containing the plaintext credential.
  7. Change the variable type from “Plaintext” to “Parameter Store” or “Secrets Manager”, depending on your preference.
  8. Click “Save”.

Using CLI

aws codebuild update-project --name <project-name> --environment-variables-override name=<variable-name>,type=PARAMETER_STORE

Replace <project-name> with the name of your CodeBuild project and <variable-name> with the name of the environment variable containing the plaintext credential.

Using Python

You can use Boto3 to achieve this programmatically:

import boto3

def update_codebuild_project(project_name, variable_name):
    client = boto3.client('codebuild')
    response = client.update_project(
        name=project_name,
        environment={
            'environmentVariablesOverride': [
                {
                    'name': variable_name,
                    'type': 'PARAMETER_STORE'
                }
            ]
        }
    )
    print(f"Updated CodeBuild project {project_name} to use Parameter Store for credential {variable_name}")

def main():
    project_name = 'your-project-name'
    variable_name = 'your-variable-name'

    update_codebuild_project(project_name, variable_name)

if __name__ == "__main__":
    main()

Replace 'your-project-name' with the name of your CodeBuild project and 'your-variable-name' with the name of the environment variable containing the plaintext credential.

This script will update the specified CodeBuild project to use Parameter Store for the specified environment variable containing the plaintext credential.