Ensure that CodeBuild Projects Have S3 or CloudWatch Logging Enabled

Overview

This check verifies that your AWS CodeBuild projects have logging enabled to either CloudWatch Logs or Amazon S3. Build logs capture important details about your build process, including commands run, output, and errors.

Risk

Without logging enabled on CodeBuild projects:

• Security incidents go undetected: Attackers could modify build artifacts, exfiltrate data, or abuse credentials with little evidence left behind.
• Troubleshooting becomes difficult: When builds fail, you have no logs to diagnose what went wrong.
• Compliance gaps: Many frameworks (PCI, SOC2, ISO27001) require audit logging for CI/CD pipelines.
• No forensic trail: In the event of a breach, you cannot correlate CodeBuild activity with other security alerts.

Remediation Steps

Prerequisites

You need permission to modify CodeBuild projects in your AWS account. Specifically, you need the codebuild:UpdateProject permission.

AWS Console Method

1. Open the AWS CodeBuild console in us-east-1.
2. Click on the project name you want to update.
3. Choose the Edit button, then select Logs.
4. Under CloudWatch logs, check the box for CloudWatch logs.
5. Optionally, specify a Group name (e.g., /aws/codebuild/<your-project-name>) and Stream name prefix.
6. Click Update project to save your changes.

Tip: You can also enable S3 logs if you need long-term retention or want to analyze logs with other tools.

AWS CLI

Enable CloudWatch Logs only:

aws codebuild update-project \
    --name <your-project-name> \
    --logs-config 'cloudWatchLogs={status=ENABLED,groupName=/aws/codebuild/<your-project-name>}' \
    --region us-east-1

Enable both CloudWatch and S3 Logs:

aws codebuild update-project \
    --name <your-project-name> \
    --logs-config 'cloudWatchLogs={status=ENABLED,groupName=/aws/codebuild/<your-project-name>},s3Logs={status=ENABLED,location=<your-bucket-name>/build-logs}' \
    --region us-east-1

Replace:

• <your-project-name> with your CodeBuild project name
• <your-bucket-name> with your S3 bucket for logs

CloudFormation

Use the LogsConfig property in your AWS::CodeBuild::Project resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: CodeBuild project with logging enabled

Parameters:
  ProjectName:
    Type: String
    Description: Name of the CodeBuild project
  ServiceRoleArn:
    Type: String
    Description: ARN of the IAM service role for CodeBuild
  SourceLocation:
    Type: String
    Description: Source repository location

Resources:
  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Ref ProjectName
      ServiceRole: !Ref ServiceRoleArn
      Artifacts:
        Type: NO_ARTIFACTS
      Environment:
        Type: LINUX_CONTAINER
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/amazonlinux2-x86_64-standard:4.0
      Source:
        Type: GITHUB
        Location: !Ref SourceLocation
      LogsConfig:
        CloudWatchLogs:
          Status: ENABLED
          GroupName: !Sub '/aws/codebuild/${ProjectName}'
          StreamName: build-log
        S3Logs:
          Status: DISABLED

Outputs:
  ProjectArn:
    Description: ARN of the CodeBuild project
    Value: !GetAtt CodeBuildProject.Arn

Terraform

Add a logs_config block to your aws_codebuild_project resource:

resource "aws_codebuild_project" "example" {
  name         = var.project_name
  service_role = var.service_role_arn

  artifacts {
    type = "NO_ARTIFACTS"
  }

  environment {
    compute_type                = "BUILD_GENERAL1_SMALL"
    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:4.0"
    type                        = "LINUX_CONTAINER"
    image_pull_credentials_type = "CODEBUILD"
  }

  source {
    type     = "GITHUB"
    location = var.source_location
  }

  logs_config {
    cloudwatch_logs {
      status     = "ENABLED"
      group_name = "/aws/codebuild/${var.project_name}"
    }

    s3_logs {
      status = "DISABLED"
    }
  }
}

To enable S3 logs as well:

logs_config {
  cloudwatch_logs {
    status     = "ENABLED"
    group_name = "/aws/codebuild/${var.project_name}"
  }

  s3_logs {
    status   = "ENABLED"
    location = "${var.log_bucket_name}/build-logs"
  }
}

Verification

After making changes, confirm logging is enabled:

1. In the AWS Console, go to CodeBuild > Build projects.
2. Click on your project name.
3. Scroll to the Logs section and verify that CloudWatch logs (or S3 logs) shows as Enabled.

CLI Verification

aws codebuild batch-get-projects \
    --names <your-project-name> \
    --query 'projects[0].logsConfig' \
    --region us-east-1

You should see output showing "status": "ENABLED" for either cloudWatchLogs or s3Logs (or both).

Additional Resources

• AWS CodeBuild User Guide - Build Project Settings
• AWS CodeBuild Logging and Monitoring
• CloudWatch Logs for CodeBuild

Notes

• CloudWatch Logs are enabled by default for new CodeBuild projects, but older projects may have logging disabled.
• Cost considerations: CloudWatch Logs incur charges based on data ingestion and storage. Set appropriate retention policies to manage costs.
• S3 logs are useful when you need longer retention or want to process logs with analytics tools like Athena.
• Encryption: S3 build logs are encrypted by default. You can disable this if needed, but it is not recommended.
• IAM permissions: The CodeBuild service role needs appropriate permissions to write to CloudWatch Logs or S3.