Check provider logo

CodeBuild report group exports to S3 are encrypted at rest

codebuild_report_group_export_encrypted

Severitymedium
Servicecodebuild
by Prowler
encryption

CodeBuild report groups with export type S3 are evaluated to confirm their exported test results are encrypted at rest with a KMS key.

Report groups configured with NO_EXPORT are out of scope.

Risk

Unencrypted S3 exports leave report data in plaintext, weakening confidentiality.

If a bucket is misconfigured, compromised, or accessed by insiders, attackers can harvest test outputs for secrets, tokens, build paths, and system details, enabling credential theft and lateral movement.

Run this check with Prowler CLI

prowler aws --checks codebuild_report_group_export_encrypted

Run in Prowler Cloud

Recommendation

Enable at-rest encryption for report exports using KMS (prefer customer managed keys).

Apply least privilege: restrict key usage to the CodeBuild role and required principals, enable rotation, and audit key usage. Combine with S3 bucket policies for defense in depth.

Remediation

CLI

aws codebuild update-report-group --arn <report-group-arn> --export-config "exportConfigType=S3,s3Destination={bucket=<bucket-name>,encryptionDisabled=false}"

Native IaC
Terraform
Other
  1. Open the AWS Console and go to CodeBuild > Report groups
  2. Select the report group and click Edit
  3. Ensure Export to Amazon S3 is enabled and a bucket is set
  4. Expand Additional configuration and enable encryption by choosing Default AWS managed key (or select a KMS key)
  5. Ensure Disable artifact encryption is NOT selected
  6. Save changes

Source Code

Resource Type

AwsCodeBuildProject

References