CodeBuild project has CloudWatch Logs or S3 logging enabled
codebuild_project_logging_enabled
CodeBuild projects are assessed for logging configuration to Amazon CloudWatch Logs or S3, identifying when at least one destination is enabled for build logs and events.
Risk
Absence of build logging creates blind spots for integrity and accountability. Attackers or misconfigurations can alter artifacts, exfiltrate data, or misuse credentials with little trace, hindering forensics and incident response. Missing telemetry impedes correlation with other alerts, risking source code and secret confidentiality.
prowler aws --checks codebuild_project_logging_enabled
Recommendation
Enable a log destination for every project-CloudWatch Logs or S3 (preferably both). Enforce defense in depth: encrypt logs, set retention, and restrict access on a least-privilege basis. Centralize and monitor logs, alert on anomalies, and avoid sensitive data in output. Use immutable retention to preserve auditability.
Remediation
aws codebuild update-project --name <project-name> --logs-config "cloudWatchLogs={status=ENABLED}"
- In the AWS Console, go to CodeBuild > Build projects and open your project
- Under Logs, click Edit
- Check CloudWatch logs and save (or enable S3 logs instead)
- Confirm the project now shows logging enabled
Source Code
Resource Type
AwsCodeBuildProject
References
- https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs
- https://codefresh.io/learn/devops-tools/aws-codebuild-the-basics-and-a-quick-tutorial/
- https://asecure.cloud/a/cfgrule_codebuild-project-logging-enabled/
- https://support.icompaas.com/support/solutions/articles/62000233680-ensure-that-codebuild-projects-have-s3-or-cloudwatch-logging-enabled
- https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-4