Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Remove CodeBuild Project Environment Variables with Clear Text Credentials

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Amazon CodeBuild project environment variables should not contain credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in clear text because these would be accessible to anyone with access to the CodeBuild console and AWS CLI, posing a security risk and making it easier for unauthorized personnel to access sensitive information.

Security

To ensure the security of your secret access information and protect it from unauthorized personnel, the best practice is to avoid passing credentials via plaintext environment variables in CodeBuild project environments. Instead, opt for a more secure approach by storing sensitive data in the AWS Systems Manager Parameter Store or AWS Secrets Manager. This provides a safe and protected location to keep your credentials. Subsequently, you can retrieve these credentials from your build specification (buildspec) when needed, ensuring a secure way to pass sensitive information to your build projects.

Audit

To determine if CodeBuild project environment variables use clear text credentials, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.

  3. In the left navigation panel, under Build - CodeBuild, choose Build projects.

  4. Click on the name (link) of the CodeBuild build project that you want to examine.

  5. Select the Build details tab to access the configuration information available for the selected build project.

  6. In the Environment section, choose Environment variables and check each variable created for the selected project environment, listed in the Environment variables section. If one or more environment variables contain credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, and have the Type attribute set to PLAINTEXT, the selected Amazon CodeBuild build project uses environment variables that store credentials in clear text.

  7. Repeat steps no. 4 – 6 for each Amazon CodeBuild build project available within your AWS cloud account.

Using AWS CLI

  1. Run list-projects command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon CodeBuild build project created in your AWS cloud account:

    aws codebuild list-projects 
  --region us-east-1 
  --output table 
  --query 'projects'

  2. The command output should return a table with the requested project names:

    --------------------------
|      ListProjects      |
+------------------------+
|  cc-repo-code-project  |
|  cc-webapp-ai-project  |
+------------------------+

  3. Run batch-get-projects command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to examine as the identifier parameter and custom filtering to describe the environment variables defined for the selected build project:

    aws codebuild batch-get-projects 
  --region us-east-1
  --names cc-repo-code-project 
  -query 'projects[*].environment.environmentVariables[]'

  4. The command output should return the environment variables created for the selected project:

    [
	{
		"name": "AWS_ACCESS_KEY_ID",
		"value": "ABCD1234ABCD1234ABCD",
		"type": "PLAINTEXT"
	},
	{
		"name": "AWS_SECRET_ACCESS_KEY",
		"value": "abcd1234abcd1234abcd1234abcd1234abcd1234",
		"type": "PLAINTEXT"
	}
]

    Check each environment variable (object) returned by the batch-get-projects command output. If one or more environment variables contain credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, and have the "type" attribute set to "PLAINTEXT", as shown in the output example above, the selected Amazon CodeBuild build project uses environment variables that store credentials in clear text.

  5. Repeat steps no. 3 and 4 for each Amazon CodeBuild build project deployed within your AWS cloud account.

Remediation / Resolution

To remove environment variables with clear text credentials from your Amazon CodeBuild build projects, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Store the environment variable with the sensitive value as a parameter in Amazon EC2 Systems Manager Parameter Store or AWS Secrets Manager.

  3. Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.

  4. In the left navigation panel, under Build - CodeBuild, choose Build projects.

  5. Click on the name (link) of the CodeBuild build project that you want to configure.

  6. Select the Build details tab to access the configuration information available for the selected build project.

  7. Choose Edit from the Environment section to modify the environment configuration available for the selected build project.

  8. On the Edit Environment page, perform the following actions:

    1. Choose the environment variable that you want to delete from the Environment variables section, and select Remove.
    2. Choose Add environment variable to add the environment variable deleted at the previous step, stored within Amazon EC2 Systems Manager Parameter Store or AWS Secrets Manager. For Name and Value, follow the instruction provided by the Systems Manager Parameter Store/Secrets Manager service and provide the necessary information. For Type, choose Parameter for variables managed with AWS Systems Manager Parameter Store and Secrets Manager for variables stored with AWS Secrets Manager.
    3. Choose Update environment to apply the configuration changes.

  9. Repeat steps no. 5 – 8 for each Amazon CodeBuild build project that you want to configure, available in your AWS cloud account.

Using AWS CLI

  1. Store the environment variable with the sensitive value as a parameter in Amazon EC2 Systems Manager Parameter Store or AWS Secrets Manager.

  2. Run update-project command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to configure as the identifier parameter, to update the environment configuration in order to replace the non-compliant, plaintext environment variables created for the selected build project environment with secure environment variables created with Systems Manager Parameter Store/Secrets Manager. The following command request example uses environment variables managed with AWS Systems Manager Parameter Store:

    aws codebuild update-project 
  --region us-east-1 
  --name cc-repo-code-project 
  --environment '{
	"type": "ARM_CONTAINER",
	"image": "aws/codebuild/amazonlinux2-aarch64-standard:2.0",
	"computeType": "BUILD_GENERAL1_SMALL",
	"environmentVariables": [
		{
			"name": "AWS_ACCESS_KEY_ID",
			"value": "/CodeBuild/secretAccessKeyId",
			"type": "PARAMETER_STORE"
		},
		{
			"name": "AWS_SECRET_ACCESS_KEY",
			"value": "/CodeBuild/secretAccessKey",
			"type": "PARAMETER_STORE"
		}
	]
}'

  3. The command output should return the information available for the modified CodeBuild build project:

    {
	"project": {
		"name": "cc-repo-code-project",
		"arn": "arn:aws:codebuild:us-east-1:123456789012:project/cc-repo-code-project",
		"source": {
			"type": "S3",
			"location": "trendmicro.com/webapp/",
			"insecureSsl": false
		},
		"secondarySources": [],
		"secondarySourceVersions": [],
		"artifacts": {
			"type": "S3",
			"location": "trendmicro.com",
			"path": "",
			"namespaceType": "NONE",
			"name": "cc-repo-code-project",
			"packaging": "NONE",
			"overrideArtifactName": false,
			"encryptionDisabled": false
		},
		"secondaryArtifacts": [],
		"cache": {
			"type": "NO_CACHE"
		},
		"environment": {
			"type": "ARM_CONTAINER",
			"image": "aws/codebuild/amazonlinux2-aarch64-standard:2.0",
			"computeType": "BUILD_GENERAL1_SMALL",
			"environmentVariables": [
				{
					"name": "AWS_ACCESS_KEY_ID",
					"value": "/CodeBuild/secretAccessKeyId",
					"type": "PARAMETER_STORE"
				},
				{
					"name": "AWS_SECRET_ACCESS_KEY",
					"value": "/CodeBuild/secretAccessKey",
					"type": "PARAMETER_STORE"
				}
			],
			"privilegedMode": false,
			"imagePullCredentialsType": "CODEBUILD"
		},
		"serviceRole": "arn:aws:iam::123456789012:role/service-role/new-service-role-cb",
		"timeoutInMinutes": 60,
		"queuedTimeoutInMinutes": 480,
		"encryptionKey": "arn:aws:kms:us-east-1:123456789012:alias/aws/s3",
		"tags": [],
		"created": "2023-08-04T14:43:16.257000+00:00",
		"lastModified": "2023-08-04T15:55:50.670000+00:00",
		"vpcConfig": {
			"vpcId": "vpc-0abcd1234abcd1234",
			"subnets": [
				"subnet-0abcd1234abcd1234",
				"subnet-01234abcd1234abcd"
			],
			"securityGroupIds": [
				"sg-01234abcd1234abcd"
			]
		},
		"badge": {
			"badgeEnabled": false
		},
		"logsConfig": {
			"s3Logs": {
				"status": "ENABLED",
				"location": "cc-s3-log-bucket",
				"encryptionDisabled": false
			}
		},
		"projectVisibility": "PRIVATE"
	}
}

  4. Repeat steps no. 1 - 3 for each Amazon CodeBuild build project that you want to configure, available within your AWS cloud account.

References

Publication date Sep 1, 2023

Related CodeBuild rules