Enable Encryption for S3 Logs

Sign in to the AWS Management Console.

Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.

In the left navigation panel, under Build - CodeBuild, choose Build projects.

Click on the name (link) of the CodeBuild build project that you want to examine.

Select the Build details tab to access the configuration information available for the selected build project.

In the Logs section, check the S3 logs setting status. If the setting status is set to ENABLED, check the Encryption disabled attribute value. If the Encryption disabled attribute value is set to true, S3 log encryption is not enabled for the selected Amazon CodeBuild build project.

Repeat steps no. 4 – 6 for each Amazon CodeBuild build project available within your AWS cloud account.

Run list-projects command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon CodeBuild build project created in your AWS cloud account:

aws codebuild list-projects 
  --region us-east-1 
  --output table 
  --query 'projects'

The command output should return a table with the requested project names:

--------------------------
|      ListProjects      |
+------------------------+
|  cc-repo-code-project  |
|  cc-webapp-ai-project  |
+------------------------+

Run batch-get-projects command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to examine as the identifier parameter and custom filtering to describe the S3 log configuration defined for the selected build project:

aws codebuild batch-get-projects 
  --names cc-repo-code-project 
  --query 'projects[*].logsConfig.s3Logs'

The command output should return the S3 log configuration information available for the selected project:

[
	{
		"status": "ENABLED",
		"location": "cc-s3-log-bucket",
		"encryptionDisabled": true
	}
]

Check the batch-get-projects command output to determine if the S3 log encryption is enabled. If the "status" attribute value is set to "ENABLED" and the "encryptionDisabled" value is set to true, as shown in the output example above, S3 log encryption is not enabled for the selected Amazon CodeBuild build project.

Repeat steps no. 3 and 4 for each Amazon CodeBuild build project deployed within your AWS cloud account.

Sign in to the AWS Management Console.

Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.

In the left navigation panel, under Build - CodeBuild, choose Build projects.

Click on the name (link) of the CodeBuild build project that you want to configure.

Select the Build details tab to access the configuration information available for the selected build project.

Choose Edit from the Logs section to modify the log configuration available for the selected build project.

On the Edit Logs page, ensure that S3 logs - optional checkbox is selected, and deselect the Disable S3 log encryption checkbox to enable S3 log encryption for the selected Amazon CodeBuild build project. Choose Update logs to apply the configuration changes.

Repeat steps no. 4 – 7 for each Amazon CodeBuild build project that you want to configure, available in your AWS cloud account.

Run update-project command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to configure as the identifier parameter, to update the log configuration in order to enable S3 log encryption for the selected build project. Set "encryptionDisabled" to false to enable log encryption:

aws codebuild update-project 
  --name cc-repo-code-project 
  --logs-config '{
		"s3Logs": {
			"status": "ENABLED",
			"location": "cc-s3-log-bucket",
			"encryptionDisabled": false
		}
    }'

The command output should return the information available for the modified CodeBuild build project:

{
	"project": {
		"name": "cc-repo-code-project",
		"arn": "arn:aws:codebuild:us-east-1:123456789012:project/cc-repo-code-project",
		"source": {
			"type": "S3",
			"location": "trendmicro.com/webapp/",
			"insecureSsl": false
		},
		"secondarySources": [],
		"secondarySourceVersions": [],
		"artifacts": {
			"type": "S3",
			"location": "trendmicro.com",
			"path": "",
			"namespaceType": "NONE",
			"name": "cc-repo-code-project",
			"packaging": "NONE",
			"overrideArtifactName": false,
			"encryptionDisabled": false
		},
		"secondaryArtifacts": [],
		"cache": {
			"type": "NO_CACHE"
		},
		"environment": {
			"type": "ARM_CONTAINER",
			"image": "aws/codebuild/amazonlinux2-aarch64-standard:2.0",
			"computeType": "BUILD_GENERAL1_SMALL",
			"environmentVariables": [],
			"privilegedMode": false,
			"imagePullCredentialsType": "CODEBUILD"
		},
		"serviceRole": "arn:aws:iam::123456789012:role/service-role/new-service-role-cb",
		"timeoutInMinutes": 60,
		"queuedTimeoutInMinutes": 480,
		"encryptionKey": "arn:aws:kms:us-east-1:123456789012:alias/aws/s3",
		"tags": [],
		"created": "2023-08-04T14:43:16.257000+00:00",
		"lastModified": "2023-08-04T15:55:50.670000+00:00",
		"vpcConfig": {
			"vpcId": "vpc-0abcd1234abcd1234",
			"subnets": [
				"subnet-0abcd1234abcd1234",
				"subnet-01234abcd1234abcd"
			],
			"securityGroupIds": [
				"sg-01234abcd1234abcd"
			]
		},
		"badge": {
			"badgeEnabled": false
		},
		"logsConfig": {
			"s3Logs": {
				"status": "ENABLED",
				"location": "cc-s3-log-bucket",
				"encryptionDisabled": false
			}
		},
		"projectVisibility": "PRIVATE"
	}
}

Repeat steps no. 1 and 2 for each Amazon CodeBuild build project that you want to configure, available within your AWS cloud account.