Skip to content
Ask AI about this
Help improve this page

CodeBuild report group exports should be encrypted at rest

CodeBuild report groups can contain test results, code coverage data, and other build artifacts that may include sensitive information about your application's internals, security test outcomes, or proprietary logic. Exporting these reports to S3 without encryption at rest means the data sits unprotected on disk, readable by anyone who gains access to that storage.

A compromised or misconfigured S3 bucket already presents risk. Unencrypted exports compound that risk by removing the last protection for data at rest.

Retrofit consideration

Changing encryption settings on an existing report group may require recreating the resource if the export configuration type changes. Existing unencrypted exports already in S3 will not be retroactively encrypted.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_codebuild_report_group.

resource "aws_codebuild_report_group" "this" {
  name = "pofix-abc123"
  type = "TEST"

  export_config {
    s3_destination {
      bucket              = "example-bucket-abc123"
      encryption_disabled = false
      encryption_key      = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }
    type = "S3"
  }
}

What this control checks

In aws_codebuild_report_group, the export_config block must be configured for S3 exports with encryption enabled. When export_config.type is "S3", the nested s3_destination block must either omit encryption_disabled (it defaults to false) or explicitly set encryption_disabled = false. Specifying encryption_key with a KMS key ARN enables customer-managed encryption. If encryption_key is omitted, AWS uses SSE-S3. Setting encryption_disabled = true causes the control to fail. Report groups with export_config.type set to "NO_EXPORT" are not evaluated, since no data leaves CodeBuild.

Common pitfalls

  • Default encryption_disabled is false but explicit is safer

    Explicitly setting encryption_disabled = false in your s3_destination block is better than relying on the default. The argument defaults to false, so omitting it technically passes, but implicit defaults invite confusion during code reviews and make the security intent invisible to the next engineer reading the config.

  • S3 bucket default encryption is separate from this control

    Bucket-level default encryption via aws_s3_bucket_server_side_encryption_configuration and this control evaluate different things. This control checks the encryption_disabled flag on the report group export config, not the bucket's encryption settings. Both should be enabled, but passing this check requires the report group flag to be set correctly, regardless of what the destination bucket does.

  • KMS key deletion can break report exports silently

    If the KMS key referenced in encryption_key is scheduled for deletion or its key policy is changed, report exports will start failing. This failure may not be obvious unless you have CloudWatch alarms on CodeBuild build failures or KMS errors. Use aws_kms_alias references rather than hardcoded ARNs, and monitor key status proactively.

  • Terraform import may not capture encryption settings

    When importing an existing aws_codebuild_report_group with terraform import, check that the resulting state includes the full export_config.s3_destination block. Missing or drifted encryption settings produce a false sense of compliance that won't surface until the next terraform plan.

Audit evidence

AWS Config rule evaluation results showing all aws_codebuild_report_group resources as compliant are the primary evidence artifact. The Config rule codebuild-report-group-encrypted-at-rest (or an equivalent custom rule) provides per-resource compliance status. Supporting evidence includes the CodeBuild console showing export configuration with encryption enabled, and CloudTrail logs for CreateReportGroup or UpdateReportGroup calls confirming exportConfig.s3Destination.encryptionDisabled was set to false.

If a KMS CMK is in use, expect auditors to also request the key policy, retrievable via aws kms get-key-policy, showing appropriate access restrictions.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: codebuild_report_group_export_encryption_at_rest_enabled

  • AWS Config Managed Rule: CODEBUILD_REPORT_GROUP_ENCRYPTED_AT_REST

  • Powerpipe Control: aws_compliance.control.codebuild_report_group_export_encryption_at_rest_enabled

  • Prowler Check: codebuild_report_group_export_encrypted

  • AWS Security Hub Control: CodeBuild.7

Last reviewed: 2026-03-09