More Info:

This rule ensures that encryption is enabled for logs stored in Amazon S3 for an AWS CodeBuild project. Enabling encryption helps protect sensitive build logs from unauthorized access or tampering. It ensures that logs are encrypted while stored, providing an additional layer of security.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration of S3 logs not having encryption enabled for an AWS CodeBuild project, you can follow these steps using the AWS Management Console:

  1. Login to AWS Console: Go to the AWS Management Console and login to your account.

  2. Navigate to AWS CodeBuild: From the services menu, navigate to AWS CodeBuild by either searching for it or finding it under the Developer Tools category.

  3. Select the CodeBuild Project: Select the CodeBuild project for which you want to enable S3 log encryption.

  4. Edit CodeBuild Project Settings:

    • Click on the “Edit” button to modify the settings of the CodeBuild project.

  5. Enable S3 Logs Encryption:

    • Scroll down to the section where you can configure the S3 logs settings.
    • Look for an option related to S3 log encryption. Enable the encryption option if it’s available.
    • If there is no direct option for encryption, you may need to create a new S3 bucket with encryption enabled and update the CodeBuild project to use this new bucket for storing logs.

  6. Save Changes: Once you have enabled encryption for S3 logs, click on the “Save” or “Update” button to apply the changes to the CodeBuild project.

  7. Verify Encryption: After saving the changes, trigger a build in the CodeBuild project to generate logs and ensure that the logs are now being stored in an S3 bucket with encryption enabled.

By following these steps, you can remediate the misconfiguration of not having encryption enabled for S3 logs in an AWS CodeBuild project.

Using CLI

To remediate the misconfiguration of S3 logs not having encryption enabled for an AWS CodeBuild project using AWS CLI, follow these steps:

  1. Enable Server-Side Encryption for S3 Bucket:

    • Run the following AWS CLI command to enable server-side encryption for the S3 bucket where the CodeBuild project logs are stored: 
      aws s3api put-bucket-encryption --bucket YOUR_BUCKET_NAME --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
    • Replace YOUR_BUCKET_NAME with the actual name of the S3 bucket where the CodeBuild project logs are stored.

  2. Update CodeBuild Project to Use Encrypted S3 Bucket:

    • Run the following AWS CLI command to update the CodeBuild project to use the encrypted S3 bucket for storing logs: 
      aws codebuild update-project --name YOUR_CODEBUILD_PROJECT_NAME --logs-config '{"cloudWatchLogs":{"status":"DISABLED"},"s3Logs":{"status":"ENABLED","location":"arn:aws:s3:::YOUR_BUCKET_NAME"}}'
    • Replace YOUR_CODEBUILD_PROJECT_NAME with the actual name of the CodeBuild project.
    • Replace YOUR_BUCKET_NAME with the actual name of the S3 bucket where the CodeBuild project logs are stored.

  3. Verify the Configuration:

    • Run the following AWS CLI command to verify that the encryption is enabled for the S3 bucket and the CodeBuild project is using the encrypted bucket for logs: 
      aws codebuild batch-get-projects --names YOUR_CODEBUILD_PROJECT_NAME
    • Replace YOUR_CODEBUILD_PROJECT_NAME with the actual name of the CodeBuild project.

By following these steps, you will successfully remediate the misconfiguration of S3 logs not having encryption enabled for an AWS CodeBuild project using AWS CLI.

Using Python

To remediate the misconfiguration of S3 logs not having encryption enabled for an AWS CodeBuild project using Python, you can follow these steps:

  1. Install Boto3: Make sure you have the Boto3 library installed. You can install it using pip:

    pip install boto3

  2. Write Python Script: Create a Python script with the following code to enable encryption for the S3 logs of the CodeBuild project:

    import boto3

# Initialize the Boto3 client for S3
s3_client = boto3.client('s3')

# Get the bucket name where the CodeBuild project logs are stored
bucket_name = '<YOUR_BUCKET_NAME>'

# Enable encryption for the bucket
response = s3_client.put_bucket_encryption(
    Bucket=bucket_name,
    ServerSideEncryptionConfiguration={
        'Rules': [
            {
                'ApplyServerSideEncryptionByDefault': {
                    'SSEAlgorithm': 'AES256'
                }
            }
        ]
    }
)

# Print the response
print(response)

    Replace <YOUR_BUCKET_NAME> with the actual bucket name where the CodeBuild project logs are stored.

  3. Run the Script: Execute the Python script to enable encryption for the S3 logs of the CodeBuild project:

    python enable_s3_encryption.py

  4. Verify: Check the S3 bucket settings to ensure that encryption is enabled for the CodeBuild project logs.

By following these steps, you can remediate the misconfiguration of S3 logs not having encryption enabled for an AWS CodeBuild project using Python.