Rule: CodeBuild Project Environment Variables
This rule ensures clear text credentials are not included in CodeBuild project environment variables.
| Rule | CodeBuild project environment variables should not contain clear text credentials |
| Framework | PCI v3.2.1 |
| Severity | ✔ Critical |
Rule Description:
The rule states that CodeBuild project environment variables should not contain clear text credentials for PCI (Payment Card Industry) v3 compliance. Storing clear text credentials in environment variables can lead to potential security risks such as unauthorized access to sensitive data.
Remediation:
To remediate this rule, follow the step-by-step guide below:
Step 1: Review existing CodeBuild project configurations
- 1.Login to the AWS Management Console.
- 2.Go to the AWS CodeBuild service page.
- 3.Select the relevant CodeBuild project where you want to check for clear text credentials.
Step 2: Verify environment variables
- 1.In the project configuration, navigate to the "Environment" section.
- 2.Check the list of environment variables declared for the project.
- 3.For each environment variable, ensure that there are no clear text credentials stored.
Step 3: Replace clear text credentials with secure alternatives
- 1.If any environment variable contains clear text credentials, it is recommended to replace them with secure alternatives.
- 2.Avoid storing credentials directly in environment variables.
- 3.For AWS resources, consider using IAM roles or AWS Secrets Manager to securely manage credentials.
Step 4: Update the CodeBuild project
- 1.After making the necessary changes, update the CodeBuild project configuration.
- 2.Save the changes, and the updated configuration will be applied to the project.
Troubleshooting:
In case there are any issues or troubleshooting required, follow these steps:
Issue: Clear text credentials found in environment variables
Solution:
- 1.Identify the environment variable(s) containing clear text credentials.
- 2.Follow the remediation steps mentioned above to replace the clear text credentials with secure alternatives.
Issue: Missing permissions to access CodeBuild project configuration
Solution:
- 1.Verify that you have the required permissions to access and modify the CodeBuild project configuration.
- 2.Contact the AWS account administrator if you don't have sufficient permissions.
Best Practices:
To ensure ongoing compliance with PCI v3 and maintain security, consider following these best practices:
- 1.Avoid storing clear text credentials in environment variables.
- 2.Use secure alternatives like IAM roles or AWS Secrets Manager to manage credentials.
- 3.Regularly review and monitor your CodeBuild projects for any potential security risks.
- 4.Implement proper access control to limit who can modify the CodeBuild project configuration.
- 5.Stay up-to-date with AWS security best practices and recommendations.
Please note that following these best practices can help improve your overall security posture and maintain compliance with the PCI v3 standard.