CodeBuild project has been invoked in the last 90 days
codebuild_project_older_90_days
AWS CodeBuild projects are assessed for recent activity using the last build invocation timestamp. Projects not invoked within 90 days or never built are treated as inactive.
Risk
Inactive projects increase attack surface. Dormant webhooks or source credentials can be abused, and attached IAM roles may retain excessive permissions. Stale configs can expose secrets in env vars or logs, threatening build integrity and data confidentiality, while adding avoidable cost and operational sprawl.
prowler aws --checks codebuild_project_older_90_days
Recommendation
Implement lifecycle management: review projects idle over 90 days, confirm ownership and need, then delete or archive. Revoke unused webhooks, tokens, and service roles; rotate any secrets. Enforce least privilege, tagging, and periodic audits to reduce attack surface and keep the build environment tidy and defensible.
Remediation
- Open the AWS Console and go to CodeBuild
- In Build projects, select the project
- Click Start build, then confirm Start build
- Wait for the build to start to update the last invoked time
Source Code
Resource Type
AwsCodeBuildProject