Rule: CodeBuild Project Environment Variables Should Not Contain Clear Text Credentials
This rule ensures that CodeBuild project environment variables do not expose clear text credentials.
| Rule | CodeBuild project environment variables should not contain clear text credentials |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Critical |
Rule Description:
This rule aims to ensure that AWS CodeBuild project environment variables do not contain clear text credentials. Storing credentials in clear text within environment variables poses a security risk, as it makes them easily accessible to potential attackers.
Remediation Steps:
To remediate this issue, follow the steps below:
1. Identify CodeBuild Projects with Clear Text Credentials:
- 1.Open the AWS Management Console and navigate to the AWS CodeBuild service.
- 2.Select the region where your CodeBuild projects are located.
- 3.Go through the list of CodeBuild projects and identify any projects that have environment variables containing clear text credentials.
2. Update Environment Variables:
For each identified CodeBuild project, update the environment variables to remove any clear text credentials. There are two recommended approaches for managing credentials securely:
a. Use AWS Secrets Manager:
- 1.Open the AWS Management Console and navigate to AWS Secrets Manager.
- 2.Create a secret in AWS Secrets Manager that stores the required credentials securely.
- 3.Retrieve the secret's ARN (Amazon Resource Name) for reference.
- 4.Go back to the CodeBuild project and delete any environment variables containing clear text credentials.
- 5.Create a new environment variable in the CodeBuild project, referencing the secret's ARN as the value.
- 6.Save the changes.
b. Use AWS Systems Manager Parameter Store:
- 1.Open the AWS Management Console and navigate to AWS Systems Manager.
- 2.Create a parameter in AWS Systems Manager Parameter Store that stores the required credentials securely.
- 3.Retrieve the parameter's ARN (Amazon Resource Name) for reference.
- 4.Go back to the CodeBuild project and delete any environment variables containing clear text credentials.
- 5.Create a new environment variable in the CodeBuild project, referencing the parameter's ARN as the value.
- 6.Save the changes.
3. Test and Validate:
- 1.Trigger a build in the CodeBuild project to ensure it runs successfully without any issues related to the updated environment variables.
- 2.Verify that the build process or any dependent applications can access the required credentials securely from AWS Secrets Manager or AWS Systems Manager Parameter Store.
Troubleshooting Steps:
Issue: Build fails after updating environment variables
Possible Cause: Incorrect reference to AWS Secrets Manager or AWS Systems Manager Parameter Store ARN.
Resolution:
- 1.Double-check that the ARN provided in the environment variable is correct.
- 2.Ensure the IAM role used by CodeBuild has the necessary permissions to access the secret or parameter in AWS Secrets Manager or AWS Systems Manager Parameter Store.
- 3.Confirm that the secret or parameter with the given ARN exists and contains the required credentials.
Issue: Credentials are still exposed in environment variables
Possible Cause: Failure to delete original environment variables containing clear text credentials.
Resolution:
- 1.Review the CodeBuild project's environment variables and validate that there are no remaining variables containing clear text credentials.
- 2.Remove any remaining environment variables containing clear text credentials.
- 3.Ensure that all necessary credentials are securely stored in AWS Secrets Manager or AWS Systems Manager Parameter Store.
Example Code:
There is no specific code provided for this rule. The remediation steps involve using AWS Secrets Manager or AWS Systems Manager Parameter Store, where you will need to create and reference the relevant secrets or parameters.