Control: AWS > PCI v3.2.1 > CodeBuild > 2 CodeBuild project environment variables should not contain clear text credentials

This control checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

You can use CodeBuild in your PCI DSS environment to compile your source code, runs unit tests, or produce artifacts that are ready to deploy. If you do, never store the authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in clear text.

Using environmental variables to store credentials in your CodeBuild project may violate the requirement to use strong cryptography to render authentication credentials unreadable.

Remediation

To enable Elastic Load Balancing health checks

Open the CodeBuild console
Expand Build, choose Build project, and then choose the build project that contains plaintext credentials.
From Edit, choose Environment.
Expand Additional configuration and then scroll to Environment variables.
Choose Remove next to the environment variable.
Choose Update environment.

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec

Open the CodeBuild console
Expand Build, choose Build project, and then choose your build project that contains plaintext credentials.
From Edit, choose Environment.
Expand Additional configuration and then scroll to Environment variables.
In AWS Systems Manager, create a Systems Manager parameter that contains your sensitive data. For instructions on how to do this, refer to the tutorial in the AWS Systems Manager User Guide.
After you create the parameter, copy the parameter name.
Back in the CodeBuild console, choose Create environmental variable.
For name, enter the name of your variable as it appears in your build spec.
For value, paste in the name of your parameter.
From type, choose Parameter.
Choose Remove next to your noncompliant environmental variable that contains plaintext credentials.
Choose Update environment.

PCI requirement(s): 8.2.1

Resource Types

This control targets the following resource types:

AWS > CodeBuild > Project

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/codeBuildProjectPlaintextEnvVariablesNoSensitiveAwsValues"