CodeBuild Report Group Exports Are Encrypted at Rest

Overview

This check verifies that AWS CodeBuild report groups configured to export test results to S3 have encryption enabled. Report groups set to NO_EXPORT are excluded from this check.

Risk

When report group exports are not encrypted, sensitive data in your test results is stored in plaintext. This can expose:

• API tokens and secrets that appear in test output
• Build paths and system configuration details
• Credentials that may have been logged during testing

Attackers who gain access to unencrypted exports could use this information for credential theft or lateral movement within your environment.

Remediation Steps

Prerequisites

You need permission to modify CodeBuild report groups in your AWS account. Specifically, the codebuild:UpdateReportGroup permission is required.

AWS Console Method

1. Open the AWS Console and go to CodeBuild
2. In the left navigation, click Report groups
3. Select the report group that needs encryption
4. Click Edit
5. Under Export settings, ensure an S3 bucket is configured
6. Expand Additional configuration
7. For Encryption key, choose one of:
   • AWS managed key (uses the default aws/s3 key)
   • Customer managed key (select your own KMS key for more control)
8. Make sure Disable artifact encryption is NOT checked
9. Click Update report group

AWS CLI (optional)

To enable encryption on an existing report group, run:

aws codebuild update-report-group \
    --region us-east-1 \
    --arn arn:aws:codebuild:us-east-1:123456789012:report-group/my-report-group \
    --export-config '{
        "exportConfigType": "S3",
        "s3Destination": {
            "bucket": "my-reports-bucket",
            "encryptionDisabled": false,
            "encryptionKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
        }
    }'

Replace the placeholder values:

• arn:aws:codebuild:us-east-1:123456789012:report-group/my-report-group - your report group ARN
• my-reports-bucket - your S3 bucket name
• arn:aws:kms:us-east-1:123456789012:key/... - your KMS key ARN

To list your report groups and find the ARN:

aws codebuild list-report-groups --region us-east-1

To view the current configuration of a report group:

aws codebuild batch-get-report-groups \
    --region us-east-1 \
    --report-group-arns arn:aws:codebuild:us-east-1:123456789012:report-group/my-report-group

CloudFormation (optional)

Use this template to create a new report group with encryption enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: CodeBuild Report Group with encrypted S3 exports

Parameters:
  ReportGroupName:
    Type: String
    Description: Name of the CodeBuild report group
  ExportBucketName:
    Type: String
    Description: S3 bucket name for report exports
  KMSKeyArn:
    Type: String
    Description: ARN of the KMS key for encryption

Resources:
  CodeBuildReportGroup:
    Type: AWS::CodeBuild::ReportGroup
    Properties:
      Name: !Ref ReportGroupName
      Type: TEST
      ExportConfig:
        ExportConfigType: S3
        S3Destination:
          Bucket: !Ref ExportBucketName
          EncryptionDisabled: false
          EncryptionKey: !Ref KMSKeyArn
          Packaging: NONE

Outputs:
  ReportGroupArn:
    Description: ARN of the created report group
    Value: !GetAtt CodeBuildReportGroup.Arn

Key properties for encryption:

• EncryptionDisabled: false - ensures encryption is enabled
• EncryptionKey - specifies your KMS key ARN

Terraform (optional)

Use this configuration to create a report group with encryption:

resource "aws_codebuild_report_group" "encrypted_reports" {
  name = var.report_group_name
  type = "TEST"

  export_config {
    type = "S3"

    s3_destination {
      bucket              = var.export_bucket_name
      encryption_disabled = false
      encryption_key      = var.kms_key_arn
      packaging           = "NONE"
    }
  }
}

variable "report_group_name" {
  description = "Name of the CodeBuild report group"
  type        = string
}

variable "export_bucket_name" {
  description = "S3 bucket name for report exports"
  type        = string
}

variable "kms_key_arn" {
  description = "ARN of the KMS key for encryption"
  type        = string
}

Key settings for encryption:

• encryption_disabled = false - ensures encryption is enabled
• encryption_key - your KMS key ARN

Verification

After making changes, verify encryption is enabled:

1. In the AWS Console, go to CodeBuild > Report groups
2. Select your report group
3. Under Export settings, confirm that encryption is enabled and a KMS key is specified

CLI verification

aws codebuild batch-get-report-groups \
    --region us-east-1 \
    --report-group-arns arn:aws:codebuild:us-east-1:123456789012:report-group/my-report-group \
    --query 'reportGroups[0].exportConfig.s3Destination.{EncryptionDisabled: encryptionDisabled, EncryptionKey: encryptionKey}'

Expected output for a properly configured report group:

{
    "EncryptionDisabled": false,
    "EncryptionKey": "arn:aws:kms:us-east-1:123456789012:key/..."
}

Additional Resources

• AWS CodeBuild Report Groups Documentation
• AWS KMS Key Management
• Prowler Check Documentation

Notes

• Report groups configured with NO_EXPORT do not store data in S3 and are not affected by this check
• Using a customer-managed KMS key (rather than the AWS managed key) gives you more control over key rotation and access policies
• Ensure the CodeBuild service role has permission to use your KMS key if using a customer-managed key
• Enabling encryption on an existing report group does not retroactively encrypt previously exported reports