Control: 3 CodeBuild S3 logs should be encrypted
This control checks if Amazon S3 logs for an AWS CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project.
Encryption of data at rest is a recommended best practice to add a layer of access management around your data. Encrypting the logs at rest reduces the risk that a user not authenticated by AWS will access the data stored on disk. It adds another set of access controls to limit the ability of unauthorized users to access the data.
To change the encryption settings for CodeBuild project S3 logs, see Change a build project's settings in AWS CodeBuild in the AWS CodeBuild User Guide.
Run the control in your terminal:
steampipe check aws_compliance.control.foundational_security_codebuild_3
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share aws_compliance.control.foundational_security_codebuild_3
This control uses a named query:codebuild_project_s3_logs_encryption_enabled