Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
AWS
Loading controls...

Control: AWS > PCI v3.2.1 > CodeBuild > 2 CodeBuild project environment variables should not contain clear text credentials

This control checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

You can use CodeBuild in your PCI DSS environment to compile your source code, runs unit tests, or produce artifacts that are ready to deploy. If you do, never store the authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in clear text.

Using environmental variables to store credentials in your CodeBuild project may violate the requirement to use strong cryptography to render authentication credentials unreadable.

Remediation

To enable Elastic Load Balancing health checks

1. Open the CodeBuild console 2. Expand Build, choose Build project, and then choose the build project that contains plaintext credentials. 3. From Edit, choose Environment. 4. Expand Additional configuration and then scroll to Environment variables. 5. Choose Remove next to the environment variable. 6. Choose Update environment.

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec

1. Open the CodeBuild console 2. Expand Build, choose Build project, and then choose your build project that contains plaintext credentials. 3. From Edit, choose Environment. 4. Expand Additional configuration and then scroll to Environment variables. 5. In AWS Systems Manager, create a Systems Manager parameter that contains your sensitive data. For instructions on how to do this, refer to the tutorial in the AWS Systems Manager User Guide. 6. After you create the parameter, copy the parameter name. 7. Back in the CodeBuild console, choose Create environmental variable. 8. For name, enter the name of your variable as it appears in your build spec. 9. For value, paste in the name of your parameter. 10. From type, choose Parameter. 11. Choose Remove next to your noncompliant environmental variable that contains plaintext credentials. 12. Choose Update environment.

PCI requirement(s): 8.2.1

Resource Types

This control targets the following resource types:

  • AWS > CodeBuild > Project

Policies

This control type relies on these other policies when running actions:

  • AWS > PCI v3.2.1

Category

  • Compliance > PCI

In Your Workspace

  • Controls by Resource report
  • Controls by Control Type report

Developers

    Control Type URI
    • tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues
    • Category URI
    • tmod:@turbot/turbot#/control/categories/compliancePci
    • GraphQL
    • query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues") { … }
    • query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues'") { … }
    • CLI
    • Get Controls
    • turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
182
Mods
519
Resource Types
8,948
Policies
3,489
Controls
1,929
Quick Actions
547
IAM