Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · CodeBuild

CodeBuild.7: Report group exports should be encrypted at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub CodeBuild.7 check?

CodeBuild.7 fails any report group that has an S3 export configured with encryption disabled — i.e. exportConfig.s3Destination.encryptionDisabled is true. It is a change-triggered AWS Config rule on AWS::CodeBuild::ReportGroup, evaluated whenever a report group is created or edited.

Why does CodeBuild.7 matter?

Test reports are not as harmless as they sound. JUnit and coverage XML routinely carry stack traces, internal hostnames, file paths, database connection strings in failure messages, and occasionally secrets that leaked into a failing assertion. Exporting that to an unencrypted S3 object means anyone who gains read access to the bucket reads it in the clear.

How do I fix CodeBuild.7?

  1. Use list-report-groups and batch-get-report-groups to find groups with exportConfigType=S3 and encryptionDisabled=true.
  2. Choose AWS-managed (encryptionDisabled=false, no key) for zero setup, or a customer-managed KMS key for revocable access by key policy.
  3. Run update-report-group setting encryptionDisabled=false and the encryptionKey ARN, granting the service role kms:GenerateDataKey and kms:Decrypt if using a CMK.
  4. Run a real build and head-object the newest exported object to confirm ServerSideEncryption is aws:kms, then add a Config rule to prevent regression.

Remediation script · bash

# 1. Bulk-enable free SSE-SQS on every unencrypted queue in the region.
for q in $(aws sqs list-queues --query 'QueueUrls[]' --output text); do
  state=$(aws sqs get-queue-attributes --queue-url $q \
    --attribute-names KmsMasterKeyId SqsManagedSseEnabled --query 'Attributes' --output text)
  [ -z "$state" ] && aws sqs set-queue-attributes --queue-url $q \
    --attributes '{"SqsManagedSseEnabled":"true"}' && echo "encrypted $q"
done

# 2. High-throughput stream: SSE-KMS with a 5-minute data-key reuse window to keep KMS cost flat.
aws kinesis start-stream-encryption --stream-name payment-events \
  --encryption-type KMS \
  --key-id arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

# 3. Find unencrypted recovery points (Backup.1 reads IsEncrypted per recovery point, not per vault).
aws backup list-recovery-points-by-backup-vault --backup-vault-name prod-backups \
  --query 'RecoveryPoints[?IsEncrypted==`false`].[RecoveryPointArn,ResourceType]' --output table

# 4. Confirm an at-rest Config rule is evaluating so regressions are caught automatically.
aws configservice describe-compliance-by-config-rule --config-rule-names sqs-queue-encrypted \
  --query 'ComplianceByConfigRules[].Compliance.ComplianceType'

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt other services at rest (queues, streams, logs, ML).

Is CodeBuild.7 a false positive?

The export's encryptionDisabled flag overrides the bucket's own default encryption, so a bucket with default SSE-S3 still fails if the export sets encryptionDisabled=true. The control ignores the AWS-managed raw-data store, which is always encrypted — only the S3 export you control is in scope.

Full lesson Encrypt other services at rest (queues, streams, logs, ML) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for CodeBuild controls ↗ Check your own account for CodeBuild.7 →
Part of the learning path Encrypt everything

More CodeBuild controls

  • CodeBuild.1 A CodeBuild Bitbucket URL contains embedded credentials
  • CodeBuild.2 CodeBuild env vars contain clear-text credentials
  • CodeBuild.3 CodeBuild S3 logs should be encrypted
  • CodeBuild.4 Projects should have a logging configuration