Control: AWS > PCI v3.2.1 > CodeBuild > 2 CodeBuild project environment variables should not contain clear text credentials
This control checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
You can use CodeBuild in your PCI DSS environment to compile your source code, runs unit tests, or produce artifacts that are ready to deploy. If you do, never store the authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in clear text.
Using environmental variables to store credentials in your CodeBuild project may violate the requirement to use strong cryptography to render authentication credentials unreadable.
Remediation
To enable Elastic Load Balancing health checks
- Open the CodeBuild console
- Expand Build, choose Build project, and then choose the build project that contains plaintext credentials.
- From Edit, choose
Environment
. - Expand
Additional configuration
and then scroll toEnvironment variables
. - Choose Remove next to the environment variable.
- Choose Update environment.
To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
- Open the CodeBuild console
- Expand Build, choose
Build project
, and then choose your build project that contains plaintext credentials. - From Edit, choose Environment.
- Expand
Additional configuration
and then scroll to Environment variables. - In AWS Systems Manager, create a Systems Manager parameter that contains your sensitive data. For instructions on how to do this, refer to the tutorial in the AWS Systems Manager User Guide.
- After you create the parameter, copy the parameter name.
- Back in the CodeBuild console, choose Create environmental variable.
- For name, enter the name of your variable as it appears in your build spec.
- For value, paste in the name of your parameter.
- From type, choose Parameter.
- Choose Remove next to your noncompliant environmental variable that contains plaintext credentials.
- Choose Update environment.
PCI requirement(s): 8.2.1
Resource Types
This control targets the following resource types:
Category
In Your Workspace
Developers
- tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues
- tmod:@turbot/turbot#/control/categories/compliancePci
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues"
Get Controls