AWS Config Rule: CodeBuild Project S3 Logs Encrypted

Description: Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if ‘encryptionDisabled’ is set to ‘true’ in a S3LogsConfig of a CodeBuild project.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Europe (Spain), Europe (Zurich) Region

This config rule checks if the Amazon S3 logs, for a given CodeBuild build project, have encryption enabled. The rule will be non-compliant If a project is found with logs encryption disabled.

To resolve this, head on over Code Build service within then AWS Console, locate the non compliant project and click on its name. Once there, click on Edit dropdown list and select Logs.

Locate the S3 logs section, ensure that Disable S3 log encryption is unticked then click on Update logs button. Check the following screenshot as reference:

You can resolve non-compliant resources with StackZone by enabling the Remediation to this AWS Config Rule

This remediation by StackZone will ensure your current log location is encrypted, by targetting the Disable Encrypted Logs flag to true. No alteration to your current logs location is made.

You can enable this by heading over to the Provisioning Module in the StackZone Console. From there, head to Baseline Services -> AWS Regional Config Rules -> Development and enable CodeBuild Project S3 Logs Encrypted Remediation

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here