Enable Logging for CodeBuild Build Projects

Risk Level: Medium (should be achieved)

To gain a comprehensive understanding of your Amazon CodeBuild activity, it is essential to deploy a logging configuration for each Amazon CodeBuild build project available within your AWS cloud account. This ensures that all build projects are properly logged and monitored.

Security

Reliability

Cost
optimisation

Performance
efficiency

Operational
excellence

Enabling build output logging for Amazon CodeBuild build projects is essential because it helps track the build process, providing valuable insights into build failures, errors, and other issues that may arise during the build phase. The build logs can be published to a CloudWatch Logs log group or a dedicated Amazon S3 bucket, or both. This logging information recorded at the CodeBuild project level serves as a valuable resource for auditing and troubleshooting purposes.

Audit

To determine if build output logging is enabled for your Amazon CodeBuild build projects, perform the following operations:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.
In the left navigation panel, under Build - CodeBuild, choose Build projects.
Click on the name (link) of the CodeBuild build project that you want to examine.
Select the Build details tab to access the configuration information available for the selected build project.
In the Logs section, check the CloudWatch logs and S3 logs settings status. If both settings have their status set to DISABLED or their status is missing (not displayed), there is no logging configuration defined for the build project, therefore build output logging is not enabled for the selected Amazon CodeBuild build project.
Repeat steps no. 4 – 6 for each Amazon CodeBuild build project available within your AWS cloud account.

Using AWS CLI

Run list-projects command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon CodeBuild build project created in your AWS cloud account:
```
aws codebuild list-projects 
  --region us-east-1 
  --output table 
  --query 'projects'
```

The command output should return a table with the requested project names:

--------------------------
|      ListProjects      |
+------------------------+
|  cc-repo-code-project  |
|  cc-webapp-ai-project  |
+------------------------+

Run batch-get-projects command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to examine as the identifier parameter and custom filtering to describe the logging configuration defined for the selected build project:
```
aws codebuild batch-get-projects 
  --names cc-repo-code-project 
  --query 'projects[*].logsConfig'
```
The command output should return the logging configuration information available for the selected project:
```
[
	{
		"cloudWatchLogs": {
			"status": "DISABLED"
		},
		"s3Logs": {
			"status": "DISABLED",
			"encryptionDisabled": false
		}
	}
]
```
If the batch-get-projects command output returns an empty array (i.e. []), there is no logging configuration defined for the selected CodeBuild build project. If the command output returns "status": "DISABLED" for both "cloudWatchLogs" and "s3Logs" log types, as shown in the example above, build output logging is not enabled for the selected Amazon CodeBuild build project.
Repeat steps no. 3 and 4 for each Amazon CodeBuild build project deployed within your AWS cloud account.

Remediation / Resolution

To enable and configure build output logging for your Amazon CodeBuild build projects, perform the following operations:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.
In the left navigation panel, under Build - CodeBuild, choose Build projects.
Click on the name (link) of the CodeBuild build project that you want to configure.
Select the Build details tab to access the configuration information available for the selected build project.
Choose Edit from the Logs section to modify the log configuration available for the selected build project.
On the Edit Logs page, perform the following actions:
1. To publish build output logs to Amazon CloudWatch Logs, select the CloudWatch logs - optional checkbox under CloudWatch, and provide the name of the log group and log stream that will receive the log files.
2. To upload build output logs to Amazon S3, select the S3 logs - optional checkbox under S3, and provide the name of the S3 bucket will receive the logs. Additionally, you can specify path prefix for the log files. Ensure that the Disable S3 log encryption checkbox is disabled to encrypt the logging data sent to Amazom S3.
3. Select Allow AWS CodeBuild to modify this service role so it can be used with this build project under Service role permissions to apply the necessary permissions.
4. Choose Update logs to apply the configuration changes.
Repeat steps no. 4 – 7 for each Amazon CodeBuild build project that you want to configure, available in your AWS cloud account.

Using AWS CLI

Run update-project command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to configure as the identifier parameter, to create a new log configuration in order to upload build output logs to Amazon S3. To publish logs to Amazon CloudWatch Logs, replace "s3Logs": {"status": "ENABLED","location": "[bucket-name]","encryptionDisabled": false}} with "cloudWatchLogs": {"status": "ENABLED", "groupName": "[log-group-name]"}, where [log-group-name] is the name of the log group that will receive the log files. You can also choose to send build output logs to both Amazon S3 and Amazon CloudWatch:
```
aws codebuild update-project 
  --name cc-repo-code-project 
  --logs-config '{
		"s3Logs": {
			"status": "ENABLED",
			"location": "cc-s3-log-bucket/build-output-logs",
			"encryptionDisabled": false
		}
	}'
```

The command output should return the information available for the modified CodeBuild build project:

{
	"project": {
		"name": "cc-repo-code-project",
		"arn": "arn:aws:codebuild:us-east-1:123456789012:project/cc-repo-code-project",
		"source": {
			"type": "S3",
			"location": "trendmicro.com/webapp/",
			"insecureSsl": false
		},
		"secondarySources": [],
		"secondarySourceVersions": [],
		"artifacts": {
			"type": "S3",
			"location": "trendmicro.com",
			"path": "",
			"namespaceType": "NONE",
			"name": "cc-repo-code-project",
			"packaging": "NONE",
			"overrideArtifactName": false,
			"encryptionDisabled": false
		},
		"secondaryArtifacts": [],
		"cache": {
			"type": "NO_CACHE"
		},
		"environment": {
			"type": "ARM_CONTAINER",
			"image": "aws/codebuild/amazonlinux2-aarch64-standard:2.0",
			"computeType": "BUILD_GENERAL1_SMALL",
			"environmentVariables": [],
			"privilegedMode": false,
			"imagePullCredentialsType": "CODEBUILD"
		},
		"serviceRole": "arn:aws:iam::123456789012:role/service-role/new-service-role-cb",
		"timeoutInMinutes": 60,
		"queuedTimeoutInMinutes": 480,
		"encryptionKey": "arn:aws:kms:us-east-1:123456789012:alias/aws/s3",
		"tags": [],
		"created": "2023-08-04T14:43:16.257000+00:00",
		"lastModified": "2023-08-04T15:55:50.670000+00:00",
		"vpcConfig": {
			"vpcId": "vpc-0abcd1234abcd1234",
			"subnets": [
				"subnet-0abcd1234abcd1234",
				"subnet-01234abcd1234abcd"
			],
			"securityGroupIds": [
				"sg-01234abcd1234abcd"
			]
		},
		"badge": {
			"badgeEnabled": false
		},
		"logsConfig": {
			"s3Logs": {
				"status": "ENABLED",
				"location": "cc-s3-log-bucket/build-output-logs",
				"encryptionDisabled": false
			}
		},
		"projectVisibility": "PRIVATE"
	}
}

Repeat steps no. 1 and 2 for each Amazon CodeBuild build project that you want to configure, available within your AWS cloud account.

References

AWS Command Line Interface (CLI) Documentation
list-projects
batch-get-projects
update-project

Publication date Sep 1, 2023

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CodeBuild rules