Encrypt build outputs using a customer managed key - Amazon CodeBuild
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypt build outputs using a customer managed key

If you follow the steps in Getting started using the console to access Amazon CodeBuild for the first time, you most likely do not need the information in this topic. However, as you continue using CodeBuild, you might want to do things such as encrypt build artifacts.

For Amazon CodeBuild to encrypt its build output artifacts, it needs access to a KMS key. By default, CodeBuild uses the Amazon managed key for Amazon S3 in your Amazon account.

If you do not want to use the Amazon managed key, you must create and configure a customer managed key yourself. This section describes how to do this with the IAM console.

For information about customer managed keys, see Amazon Key Management Service Concepts and Creating Keys in the Amazon KMS Developer Guide.

To configure a customer managed key for use by CodeBuild, follow the instructions in the "How to Modify a Key Policy" section of Modifying a Key Policy in the Amazon KMS Developer Guide. Then add the following statements (between ### BEGIN ADDING STATEMENTS HERE ### and ### END ADDING STATEMENTS HERE ###) to the key policy. Ellipses (...) are used for brevity and to help you locate where to add the statements. Do not remove any statements, and do not type these ellipses into the key policy.

{ "Version": "2012-10-17", "Id": "...", "Statement": [ ### BEGIN ADDING STATEMENTS HERE ### { "Sid": "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "s3.region-ID.amazonaws.com", "kms:CallerAccount": "account-ID" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-ID:role/CodeBuild-service-role" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, ### END ADDING STATEMENTS HERE ### { "Sid": "Enable IAM User Permissions", ... }, { "Sid": "Allow access for Key Administrators", ... }, { "Sid": "Allow use of the key", ... }, { "Sid": "Allow attachment of persistent resources", ... } ] }
  • region-ID represents the ID of the Amazon region where the Amazon S3 buckets associated with CodeBuild are located (for example, us-east-1).

  • account-ID represents the ID of the of the Amazon account that owns the customer managed key.

  • CodeBuild-service-role represents the name of the CodeBuild service role you created or identified earlier in this topic.

Note

To create or configure a customer managed key through the IAM console, you must first sign in to the Amazon Web Services Management Console by using one of the following: