terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted

semgrep

Author

unknown

Download Count*

License

The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: aws-codebuild-project-unencrypted
    patterns:
      - pattern: |
          resource "aws_codebuild_project" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_codebuild_project" $ANYTHING {
            ...
            encryption_key = ...
            ...
          }
    message: The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key
      protects projects in the CodeBuild. To create your own, create a
      aws_kms_key resource or use the ARN string of a key in your account.
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
      cwe:
        - "CWE-320: CWE CATEGORY: Key Management Errors"
      technology:
        - aws
        - terraform
      category: security
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-codebuild-project-unencrypted.tf

# pass

resource "aws_codebuild_project" "enabled" {
  name         = "example"
  service_role = "aws_iam_role.example.arn"

  encryption_key = "aws_kms_key.scanner_key.id"

  artifacts {
    type = "S3"
  }
  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "docker:dind"
    type         = "LINUX_CONTAINER"
  }
  source {
    type = "NO_SOURCE"
  }
}

# fail
# ruleid: aws-codebuild-project-unencrypted
resource "aws_codebuild_project" "default" {
  name         = "example"
  service_role = "aws_iam_role.example.arn"

  artifacts {
    type = "S3"
  }
  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "docker:dind"
    type         = "LINUX_CONTAINER"
  }
  source {
    type = "NO_SOURCE"
  }
}

# unknown

# ruleid: aws-codebuild-project-unencrypted
resource "aws_codebuild_project" "no_artifacts" {
  name         = "example"
  service_role = "aws_iam_role.example.arn"

  artifacts {
    type = "NO_ARTIFACTS"
  }
  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "docker:dind"
    type         = "LINUX_CONTAINER"
  }
  source {
    type = "NO_SOURCE"
  }
}

Short Link: https://sg.run/5yxA