Skip to content
Ask AI about this
Help improve this page

CodeBuild projects should have artifact encryption enabled

CodeBuild artifacts often contain compiled binaries, packaged containers, or bundled application code that may embed secrets, API keys, or proprietary logic. When artifact encryption is disabled, these outputs are written to S3 in plaintext, exposing them to anyone with bucket-level read access.

Default behavior in CodeBuild encrypts artifacts with the AWS-managed S3 key (aws/s3). Explicitly setting encryption_disabled = true overrides that default and is almost never intentional. Catching this misconfiguration early prevents accidental data exposure in CI/CD pipelines.

Retrofit consideration

Enabling encryption on an existing project does not re-encrypt previously stored unencrypted artifacts. You must re-run builds or manually copy objects with encryption to remediate historical outputs.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_codebuild_project.

resource "aws_codebuild_project" "this" {
  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
    type         = "LINUX_CONTAINER"
  }

  logs_config {
    cloudwatch_logs {
      status = "ENABLED"
    }
  }

  name         = "pofix-abc123"
  service_role = "arn:aws:iam::123456789012:role/example-role"

  source {
    buildspec = "version: 0.2\nphases:\n  build:\n    commands:\n      - echo hello"
    type      = "NO_SOURCE"
  }

  artifacts {
    encryption_disabled = false
    location            = "example-bucket-abc123"
    type                = "S3"
  }
}

What this control checks

In the aws_codebuild_project resource, the artifacts block accepts an encryption_disabled argument that defaults to false, so artifacts are encrypted unless you explicitly override it. The control fails when encryption_disabled is set to true. The same check applies to every entry in the secondary_artifacts block: encryption_disabled must be false or omitted there as well. To pass, omit the argument entirely or set encryption_disabled = false in both artifacts and every secondary_artifacts block. To use a customer-managed key instead of the default aws/s3 key, set encryption_key at the top level of the aws_codebuild_project resource to the KMS key ARN.

Common pitfalls

  • Artifact type NO_ARTIFACTS still evaluated

    When artifacts.type is NO_ARTIFACTS, the encryption_disabled argument can still appear in Terraform state, and some scanning tools will flag it even though no artifacts are produced. Omit the argument or set encryption_disabled = false to avoid false positives.

  • Secondary artifacts often overlooked

    A single secondary artifact with encryption_disabled = true fails the entire project. The secondary_artifacts block gets less scrutiny during code review, and each entry carries its own encryption_disabled flag independent of the primary artifacts block. Review every secondary artifact block, not just the primary.

  • encryption_key vs encryption_disabled confusion

    Setting encryption_key on the aws_codebuild_project resource controls which KMS key to use. It does not override encryption_disabled = true on individual artifact blocks. The two settings are independent: you must set encryption_disabled = false even when a custom encryption_key is configured.

  • Terraform import may surface hidden defaults

    Importing an existing CodeBuild project with terraform import can cause encryption_disabled to appear explicitly as false in state. If your HCL omits it, a spurious plan diff shows up. Pin encryption_disabled = false explicitly to keep plans clean.

Audit evidence

Auditors expect Config rule evaluation results showing all CodeBuild projects evaluated as compliant, or equivalent findings from a CSPM tool. Supporting evidence includes the BatchGetProjects API response showing encryptionDisabled: false for the artifacts and secondaryArtifacts fields across all projects in scope.

For stronger assurance, provide the KMS key policy governing artifact encryption and CloudTrail logs showing kms:GenerateDataKey calls tied to CodeBuild build executions, confirming encryption is active at runtime.

Framework-specific interpretation

PCI DSS v4.0: Requirement 3 covers protection of stored account data. If build artifacts can contain account data, disabling encryption on those outputs directly increases cardholder data risk. A customer-managed KMS key can support the key-management practices Requirement 3.6 calls for, but this control is one part of meeting Requirement 3, not a complete answer: broader data classification, scope definition, and key-management controls are also required.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: codebuild_project_artifact_encryption_enabled

  • AWS Config Managed Rule: CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION

  • Checkov Check: CKV_AWS_78

  • Powerpipe Control: aws_compliance.control.codebuild_project_artifact_encryption_enabled

  • Trivy Check: AWS-0018

Last reviewed: 2026-03-09