Skip to main content
emnode / learn
Compliance Critical severity

AWS Security Hub · CodeBuild

CodeBuild.2: CodeBuild env vars contain clear-text credentials

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub CodeBuild.2 check?

CodeBuild.2 fails any project that defines AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as PLAINTEXT environment variables. Those two values together are a long-lived AWS credential anyone with read access to the project definition can copy.

Why does CodeBuild.2 matter?

A plaintext environment variable is not a secret — it shows in the console, in batch-get-projects output, in CloudFormation and Terraform state, and in build logs if the environment is printed. A static key set this way is almost always a long-lived IAM user key that never rotates, so a single over-broad read permission leaks standing AWS access.

How do I fix CodeBuild.2?

  1. Pull every project's environment variables with batch-get-projects and find PLAINTEXT variables, especially AWS_ACCESS_KEY_ID.
  2. Prefer deleting the credentials outright — CodeBuild already hands the build container the service role's temporary, auto-rotating credentials via the standard provider chain.
  3. For genuine third-party secrets, switch the variable type to SECRETS_MANAGER or PARAMETER_STORE and store a reference, granting the service role GetSecretValue/GetParameters (and kms:Decrypt).
  4. Rotate the exposed IAM key — deactivate and replace it; hiding it is not fixing it.

Remediation script · bash

# Find active credentials idle past 45 days and disable them (review before deleting).
CUTOFF=$(date -u -d '45 days ago' +%Y-%m-%d)
aws iam generate-credential-report >/dev/null
aws iam get-credential-report --query Content --output text | base64 -d \
  | awk -F, -v c="$CUTOFF" 'NR>1 && $9=="true" && $11<c {print $1, $10}'
aws iam update-access-key --user-name old-contractor \
  --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

# Apply the CIS-aligned IAM password policy in one idempotent call.
aws iam update-account-password-policy --minimum-password-length 14 \
  --require-uppercase-characters --require-lowercase-characters \
  --require-numbers --require-symbols --password-reuse-prevention 24

# A clear-text key in a build project is compromised: rotate and delete, never just relocate.
aws iam delete-access-key --user-name ci-deploy --access-key-id AKIAIOSFODNN7EXAMPLE

Full walkthrough (console steps, edge cases and verification) in the lesson Rotate and remove stale IAM credentials.

Is CodeBuild.2 a false positive?

A hardcoded AWS_ACCESS_KEY_ID actually overrides the better service-role credentials CodeBuild already provides, so deleting it is both the security fix and the simpler configuration — the build does not need the static key at all.

Full lesson Rotate and remove stale IAM credentials Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for CodeBuild controls ↗ Check your own account for CodeBuild.2 →
Part of the learning path Lock down access

More CodeBuild controls

  • CodeBuild.1 A CodeBuild Bitbucket URL contains embedded credentials
  • CodeBuild.3 CodeBuild S3 logs should be encrypted
  • CodeBuild.4 Projects should have a logging configuration
  • CodeBuild.7 Report group exports should be encrypted at rest