More Info:

Ensure Code build code deploy has auto rollback and monitoring enabled

Risk Level

Medium

Address

Performance Efficiency, Operational Excellence, Reliability, Security

Compliance Standards

HITRUST,SOC2

Remediation

Using Console

To remediate the misconfiguration of CodeDeploy Auto Deploy and Monitoring not being enabled for AWS CodeBuild using the AWS Management Console, follow these steps:

  1. Login to AWS Console: Go to the AWS Management Console and login to your AWS account.

  2. Navigate to CodeBuild: In the AWS Management Console, navigate to the CodeBuild service.

  3. Select the Project: Select the CodeBuild project for which you want to enable CodeDeploy Auto Deploy and Monitoring.

  4. Edit the Project: Click on the project name to open the project details.

  5. Edit the Build: In the project details page, click on the “Edit” button to modify the project settings.

  6. Enable CodeDeploy Auto Deploy: In the project settings, scroll down to the “Deploy” section. Enable the “Enable automated deployments” option to enable CodeDeploy Auto Deploy.

  7. Configure Deployment: Configure the deployment settings as per your requirements. You can choose the deployment type, deployment group, and other deployment settings.

  8. Enable Monitoring: In the project settings, navigate to the “Monitoring” section. Enable the “Enable CloudWatch Logs” option to enable monitoring for the CodeBuild project.

  9. Save Changes: Once you have enabled CodeDeploy Auto Deploy and Monitoring, click on the “Save” button to save the changes.

  10. Verify Configuration: Verify that CodeDeploy Auto Deploy and Monitoring are enabled for the CodeBuild project by checking the project settings and configurations.

By following these steps, you can remediate the misconfiguration of CodeDeploy Auto Deploy and Monitoring not being enabled for AWS CodeBuild using the AWS Management Console.

Using CLI

To remediate the misconfiguration of enabling CodeDeploy Auto Deploy and Monitoring for AWS CodeBuild using AWS CLI, you can follow these step-by-step instructions:

  1. Enable CodeDeploy Auto Deploy and Monitoring for AWS CodeBuild:

    Run the following AWS CLI command to update the CodeBuild project to enable CodeDeploy Auto Deploy and Monitoring:

    aws codebuild update-project --name <codebuild-project-name> --environment "type=CODEPIPELINE,computeType=BUILD_GENERAL1_SMALL,image=aws/codebuild/standard:4.0,environmentVariablesOverride=[{name=CODEDEPLOY_AUTO_DEPLOY,value=true},{name=CODEDEPLOY_DEPLOYMENT_CONFIG,value=CodeDeployDefault.AllAtOnce},{name=CODEDEPLOY_APPLICATION_NAME,value=<codedeploy-application-name>},{name=CODEDEPLOY_DEPLOYMENT_GROUP_NAME,value=<codedeploy-deployment-group-name>}]"
    
    • Replace <codebuild-project-name> with the name of your CodeBuild project.
    • Replace <codedeploy-application-name> with the name of your CodeDeploy application.
    • Replace <codedeploy-deployment-group-name> with the name of your CodeDeploy deployment group.
  2. Verify Configuration:

    Run the following AWS CLI command to describe the updated CodeBuild project and verify that the CodeDeploy Auto Deploy and Monitoring settings are enabled:

    aws codebuild batch-get-projects --names <codebuild-project-name>
    

    This command will return the details of the CodeBuild project, including the environment settings.

  3. Monitor Deployment:

    After enabling CodeDeploy Auto Deploy and Monitoring for AWS CodeBuild, you can monitor the deployment process through the AWS CodeDeploy console or CLI.

By following these steps, you can remediate the misconfiguration and enable CodeDeploy Auto Deploy and Monitoring for AWS CodeBuild using AWS CLI.

Using Python

To remediate the misconfiguration of enabling CodeDeploy auto deploy and monitoring for AWS CodeBuild using Python, you can follow these steps:

Step 1: Import necessary libraries

import boto3

Step 2: Define the CodeBuild project name and the CodeDeploy application name

codebuild_project_name = 'YOUR_CODEBUILD_PROJECT_NAME'
codedeploy_application_name = 'YOUR_CODEDEPLOY_APPLICATION_NAME'

Step 3: Get the CodeBuild project information

codebuild_client = boto3.client('codebuild')
response = codebuild_client.batch_get_projects(names=[codebuild_project_name])
codebuild_project = response['projects'][0]

Step 4: Update the CodeBuild project to enable CodeDeploy auto deploy and monitoring

codebuild_project['environment']['computeType'] = 'BUILD_GENERAL1_SMALL'
codebuild_project['environment']['privilegedMode'] = True
codebuild_project['serviceRole'] = 'arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_CODEBUILD_SERVICE_ROLE'
codebuild_project['artifacts']['type'] = 'CODEPIPELINE'
codebuild_project['environment']['type'] = 'LINUX_CONTAINER'
codebuild_project['environment']['image'] = 'aws/codebuild/standard:4.0'
codebuild_project['environment']['imagePullCredentialsType'] = 'CODEBUILD'
codebuild_project['environment']['environmentVariablesOverride'] = [
    {
        'name': 'CODEBUILD_BUILD_ID',
        'type': 'PLAINTEXT',
        'value': '$CODEBUILD_BUILD_ID'
    }
]
codebuild_project['environment']['privilegedMode'] = True
codebuild_project['triggers']['webhook'] = True

codebuild_client.update_project(
    name=codebuild_project_name,
    source=codebuild_project['source'],
    artifacts=codebuild_project['artifacts'],
    environment=codebuild_project['environment'],
    serviceRole=codebuild_project['serviceRole'],
    encryptionKey=codebuild_project['encryptionKey'],
    tags=codebuild_project['tags'],
    timeoutInMinutes=codebuild_project['timeoutInMinutes'],
    queuedTimeoutInMinutes=codebuild_project['queuedTimeoutInMinutes'],
    buildBatchConfig=codebuild_project['buildBatchConfig'],
    fileSystemLocations=codebuild_project['fileSystemLocations'],
    vpcConfig=codebuild_project['vpcConfig'],
    badgeEnabled=codebuild_project['badgeEnabled'],
    logsConfig=codebuild_project['logsConfig'],
    s3LogsConfig=codebuild_project['s3LogsConfig'],
    concurrentBuildLimit=codebuild_project['concurrentBuildLimit'],
    buildTimeout=codebuild_project['buildTimeout'],
    queuedTimeout=codebuild_project['queuedTimeout'],
    environmentVariablesOverride=codebuild_project['environmentVariablesOverride'],
    sourceVersion=codebuild_project['sourceVersion'],
    secondaryArtifacts=codebuild_project['secondaryArtifacts'],
    secondarySources=codebuild_project['secondarySources'],
    cache=codebuild_project['cache'],
    description=codebuild_project['description'],
    fileSystemLocations=codebuild_project['fileSystemLocations'],
    reportBuildStatus=codebuild_project['reportBuildStatus'],
    buildStatusConfig=codebuild_project['buildStatusConfig'],
    badgeEnabled=codebuild_project['badgeEnabled'],
    logsConfig=codebuild_project['logsConfig'],
    fileSystemLocations=codebuild_project['fileSystemLocations'],
    buildStatusConfig=codebuild_project['buildStatusConfig'],
    environmentType=codebuild_project['environmentType'],
    imagePullCredentialsType=codebuild_project['imagePullCredentialsType'],
    computeType=codebuild_project['computeType'],
    webhook=codebuild_project['webhook']
)

Step 5: Create a new deployment group in CodeDeploy

codedeploy_client = boto3.client('codedeploy')
response = codedeploy_client.create_deployment_group(
    applicationName=codedeploy_application_name,
    deploymentGroupName='YOUR_DEPLOYMENT_GROUP_NAME',
    deploymentConfigName='CodeDeployDefault.AllAtOnce',
    ec2TagFilters=[
        {
            'Key': 'YOUR_EC2_TAG_KEY',
            'Value': 'YOUR_EC2_TAG_VALUE',
            'Type': 'KEY_AND_VALUE'
        },
    ],
    serviceRoleArn='arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_CODEDEPLOY_SERVICE_ROLE',
    autoScalingGroups=[
        'YOUR_AUTO_SCALING_GROUP_NAME',
    ],
    deploymentStyle={
        'deploymentType': 'BLUE_GREEN',
        'deploymentOption': 'WITH_TRAFFIC_CONTROL'
    },
    blueGreenDeploymentConfiguration={
        'terminateBlueInstancesOnDeploymentSuccess': {
            'action': 'TERMINATE',
            'terminationWaitTimeInMinutes': 5
        },
        'deploymentReadyOption': {
            'actionOnTimeout': 'CONTINUE_DEPLOYMENT'
        }
    }
)

Please replace placeholders like YOUR_CODEBUILD_PROJECT_NAME, YOUR_CODEDEPLOY_APPLICATION_NAME, YOUR_ACCOUNT_ID, YOUR_CODEBUILD_SERVICE_ROLE, YOUR_EC2_TAG_KEY, YOUR_EC2_TAG_VALUE, YOUR_CODEDEPLOY_SERVICE_ROLE, YOUR_AUTO_SCALING_GROUP_NAME, and YOUR_DEPLOYMENT_GROUP_NAME with your actual values.

These steps will help you remediate the misconfiguration of enabling CodeDeploy auto deploy and monitoring for AWS CodeBuild using Python.