Ensure AWS CodeBuild Projects Are Not Public
Overview
This check verifies that your AWS CodeBuild projects have their visibility set to PRIVATE rather than PUBLIC_READ. When a project is public, anyone on the internet can view your build logs, artifacts, and results without authentication.
Risk
A publicly accessible CodeBuild project exposes sensitive information that can be used by attackers:
- Leaked secrets: Build logs may contain environment variables, API keys, authentication tokens, or database credentials that were accidentally printed during builds
- Source code exposure: Code snippets, file paths, and application logic often appear in build output
- Supply chain attacks: Public artifacts can be tampered with or replaced with malicious versions
- Reconnaissance: Attackers gain insight into your CI/CD pipeline, infrastructure, and deployment processes
This is rated high severity because the exposure is immediate and can reveal credentials or sensitive data from all past builds.
Remediation Steps
Prerequisites
You need permission to modify CodeBuild projects in your AWS account. Specifically, the codebuild:UpdateProjectVisibility permission is required.
AWS Console Method
- Sign in to the AWS Console and navigate to CodeBuild
- In the left navigation, click Build projects
- Select the project that was flagged by Prowler
- Click the Edit button in the top right, then select Edit project
- Scroll down to find the Project visibility setting
- Change it from Public to Private
- Click Update project to save your changes
AWS CLI (optional)
Use the update-project-visibility command to make a project private:
aws codebuild update-project-visibility \
--project-arn arn:aws:codebuild:us-east-1:123456789012:project/my-project \
--project-visibility PRIVATE \
--region us-east-1
Replace arn:aws:codebuild:us-east-1:123456789012:project/my-project with your actual project ARN.
To find all public projects in your account:
aws codebuild list-projects --region us-east-1 --query 'projects' --output text | \
while read project; do
visibility=$(aws codebuild batch-get-projects --names "$project" --region us-east-1 \
--query 'projects[0].projectVisibility' --output text)
if [ "$visibility" = "PUBLIC_READ" ]; then
echo "PUBLIC: $project"
fi
done
CloudFormation (optional)
When defining CodeBuild projects in CloudFormation, set the Visibility property to PRIVATE:
AWSTemplateFormatVersion: '2010-09-09'
Description: CodeBuild project with private visibility
Parameters:
ProjectName:
Type: String
Description: Name for the CodeBuild project
Resources:
CodeBuildServiceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub '${ProjectName}-codebuild-role'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess
PrivateCodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: !Ref ProjectName
Description: Private CodeBuild project
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Visibility: PRIVATE
Artifacts:
Type: NO_ARTIFACTS
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
Source:
Type: NO_SOURCE
BuildSpec: |
version: 0.2
phases:
build:
commands:
- echo "Build started"
Outputs:
ProjectArn:
Description: ARN of the CodeBuild project
Value: !GetAtt PrivateCodeBuildProject.Arn
Terraform (optional)
Set the project_visibility attribute to "PRIVATE" in your CodeBuild project resource:
variable "project_name" {
description = "Name of the CodeBuild project"
type = string
}
# IAM Role for CodeBuild
resource "aws_iam_role" "codebuild" {
name = "${var.project_name}-codebuild-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "codebuild.amazonaws.com"
}
Action = "sts:AssumeRole"
}
]
})
}
# CodeBuild Project with Private Visibility
resource "aws_codebuild_project" "private_project" {
name = var.project_name
description = "Private CodeBuild project"
service_role = aws_iam_role.codebuild.arn
# IMPORTANT: Set visibility to PRIVATE
project_visibility = "PRIVATE"
artifacts {
type = "NO_ARTIFACTS"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
type = "LINUX_CONTAINER"
}
source {
type = "NO_SOURCE"
buildspec = <<-BUILDSPEC
version: 0.2
phases:
build:
commands:
- echo "Build started"
BUILDSPEC
}
}
output "project_arn" {
description = "ARN of the CodeBuild project"
value = aws_codebuild_project.private_project.arn
}
Verification
After making the change, verify the project is now private:
- In the AWS Console, go to CodeBuild and select your project
- Check that Project visibility shows Private
Re-run Prowler to confirm the check now passes:
prowler aws --check codebuild_project_not_publicly_accessible --region us-east-1
CLI verification command
aws codebuild batch-get-projects \
--names my-project \
--region us-east-1 \
--query 'projects[0].projectVisibility'
The output should be "PRIVATE".
Additional Resources
- AWS CodeBuild Public Build Projects
- AWS CLI update-project-visibility
- Best Practices for Using Webhooks in CodeBuild
- AWS Secrets Manager
Notes
- Historical exposure: When you change a project from public to private, be aware that any data exposed while it was public may have already been accessed or cached. Consider rotating any secrets that may have been visible in build logs.
- Secrets management: Never store sensitive values directly in environment variables. Use AWS Secrets Manager or Systems Manager Parameter Store instead.
- Artifact integrity: If you previously had public artifacts, validate them with checksums to ensure they have not been tampered with.
- No downtime: Changing visibility does not interrupt running builds or affect your CI/CD pipeline functionality.