AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK
Description
The
AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK
runbook
encrypts an Amazon CodeBuild (CodeBuild) project's build artifacts using the Amazon Key Management Service (Amazon KMS)
customer managed key you specify. Amazon Config must be enabled in the Amazon Web Services Region where you run this
automation.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$
Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
KMSKeyId
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the Amazon KMS customer managed key you want to use to encrypt the CodeBuild project you specify in the
ProjectIdparameter. -
ProjectId
Type: String
Description: (Required) The ID of the CodeBuild project whose build artifacts you want to encrypt.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
successfully use the runbook.
-
ssm:StartAutomationExecution -
ssm:GetAutomationExecution -
codebuild:BatchGetProjects -
codebuild:UpdateProject -
config:GetResourceConfigHistory
Document Steps
-
aws:executeAwsApi- Gathers the CodeBuild project name from the project ID. -
aws:executeAwsApi- Enables encryption on the CodeBuild project you specify in theProjectIdparameter. -
aws:assertAwsResourceProperty- Verifies that encryption has been enabled on the CodeBuild project.
Outputs
UpdateLambdaConfig.UpdateFunctionConfigurationResponse - Response from the
UpdateFunctionConfiguration
API call.