Ensure S3 Logs for CodeBuild Projects are Encrypted at Rest

Overview

This check verifies that AWS CodeBuild projects configured to send build logs to Amazon S3 have encryption enabled for those logs. Encryption protects your build output from unauthorized access.

Risk

Build logs often contain sensitive information such as:

• Environment variables and configuration values
• Error messages with internal system details
• Credentials or tokens accidentally logged during builds

If these logs are stored unencrypted and the S3 bucket is misconfigured or accessed without authorization, attackers could extract this information to compromise your build pipeline or move laterally within your environment.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify CodeBuild projects
• The CodeBuild project must already have S3 logging configured (this check only applies to projects using S3 logs)

AWS Console Method

1. Open the AWS CodeBuild console
2. Select the project that failed the check
3. Click Edit and then choose Logs
4. In the S3 logs section, make sure Disable S3 log encryption is unchecked
5. Click Update project

That's it. Your S3 logs will now be encrypted using the default AWS-managed key (SSE-S3).

AWS CLI (optional)

Use the update-project command to enable encryption for S3 logs:

aws codebuild update-project \
  --name <your-project-name> \
  --logs-config 's3Logs={status=ENABLED,location=<your-bucket-name>/<log-path>,encryptionDisabled=false}' \
  --region us-east-1

Replace:

• <your-project-name> with your CodeBuild project name
• <your-bucket-name> with your S3 bucket name
• <log-path> with your desired log path prefix

To check the current configuration:

aws codebuild batch-get-projects \
  --names <your-project-name> \
  --region us-east-1 \
  --query 'projects[0].logsConfig.s3Logs'

You should see "encryptionDisabled": false in the output.

CloudFormation (optional)

In your CloudFormation template, set EncryptionDisabled: false in the LogsConfig section:

AWSTemplateFormatVersion: '2010-09-09'
Description: CodeBuild project with encrypted S3 logs

Parameters:
  ProjectName:
    Type: String
    Description: Name of the CodeBuild project
  S3LogBucket:
    Type: String
    Description: S3 bucket for build logs
  S3LogPath:
    Type: String
    Description: Path prefix for logs in the bucket
    Default: codebuild-logs

Resources:
  CodeBuildServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonS3FullAccess

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Ref ProjectName
      ServiceRole: !GetAtt CodeBuildServiceRole.Arn
      Source:
        Type: NO_SOURCE
        BuildSpec: |
          version: 0.2
          phases:
            build:
              commands:
                - echo "Build started"
      Artifacts:
        Type: NO_ARTIFACTS
      Environment:
        Type: LINUX_CONTAINER
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/amazonlinux2-x86_64-standard:4.0
      LogsConfig:
        S3Logs:
          Status: ENABLED
          Location: !Sub '${S3LogBucket}/${S3LogPath}'
          EncryptionDisabled: false

Outputs:
  ProjectArn:
    Value: !GetAtt CodeBuildProject.Arn
    Description: ARN of the CodeBuild project

The key setting is EncryptionDisabled: false under S3Logs.

Terraform (optional)

In your Terraform configuration, set encryption_disabled = false in the s3_logs block:

resource "aws_codebuild_project" "example" {
  name         = var.project_name
  service_role = aws_iam_role.codebuild.arn

  source {
    type      = "NO_SOURCE"
    buildspec = <<-BUILDSPEC
      version: 0.2
      phases:
        build:
          commands:
            - echo "Build started"
    BUILDSPEC
  }

  artifacts {
    type = "NO_ARTIFACTS"
  }

  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "aws/codebuild/amazonlinux2-x86_64-standard:4.0"
    type         = "LINUX_CONTAINER"
  }

  logs_config {
    s3_logs {
      status              = "ENABLED"
      location            = "${var.s3_log_bucket}/${var.s3_log_path}"
      encryption_disabled = false
    }
  }
}

The key setting is encryption_disabled = false under the s3_logs block.

Verification

After making changes, verify the fix:

1. In the AWS Console, open your CodeBuild project and check the Logs configuration
2. Confirm that Disable S3 log encryption is unchecked

CLI verification

aws codebuild batch-get-projects \
  --names <your-project-name> \
  --region us-east-1 \
  --query 'projects[0].logsConfig.s3Logs.encryptionDisabled'

The output should be false.

Additional Resources

• AWS CodeBuild User Guide - Build Project Settings
• AWS CodeBuild Logging and Monitoring
• S3 Server-Side Encryption

Notes

• This check only applies to CodeBuild projects that have S3 logging enabled. Projects using only CloudWatch Logs are not affected.
• By default, S3 log encryption uses SSE-S3 (AWS-managed keys). For additional control, consider using SSE-KMS with a customer-managed key.
• If you use a customer-managed KMS key, ensure your CodeBuild service role has permission to use that key.
• Enabling encryption does not affect existing log files; only new logs will be encrypted. Consider re-running builds if you need to ensure all logs are encrypted.