terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted
semgrep
Author
unknown
Download Count*
License
The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Run Locally
Run in CI
Defintion
rules:
- id: aws-codebuild-project-unencrypted
patterns:
- pattern: |
resource "aws_codebuild_project" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_codebuild_project" $ANYTHING {
...
encryption_key = ...
...
}
message: The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key
protects projects in the CodeBuild. To create your own, create a
aws_kms_key resource or use the ARN string of a key in your account.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- "CWE-320: CWE CATEGORY: Key Management Errors"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-codebuild-project-unencrypted.tf
# pass
resource "aws_codebuild_project" "enabled" {
name = "example"
service_role = "aws_iam_role.example.arn"
encryption_key = "aws_kms_key.scanner_key.id"
artifacts {
type = "S3"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "docker:dind"
type = "LINUX_CONTAINER"
}
source {
type = "NO_SOURCE"
}
}
# fail
# ruleid: aws-codebuild-project-unencrypted
resource "aws_codebuild_project" "default" {
name = "example"
service_role = "aws_iam_role.example.arn"
artifacts {
type = "S3"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "docker:dind"
type = "LINUX_CONTAINER"
}
source {
type = "NO_SOURCE"
}
}
# unknown
# ruleid: aws-codebuild-project-unencrypted
resource "aws_codebuild_project" "no_artifacts" {
name = "example"
service_role = "aws_iam_role.example.arn"
artifacts {
type = "NO_ARTIFACTS"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "docker:dind"
type = "LINUX_CONTAINER"
}
source {
type = "NO_SOURCE"
}
}
Short Link: https://sg.run/5yxA