# `AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK` **Description** The `AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK` runbook encrypts an Amazon CodeBuild (CodeBuild) project's build artifacts using the Amazon Key Management Service (Amazon KMS) customer managed key you specify. Amazon Config must be enabled in the Amazon Web Services Region where you run this automation. [Run this Automation (console)](https://console.amazonaws.cn/systems-manager/automation/execute/AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + KMSKeyId Type: String Description: (Required) The Amazon Resource Name (ARN) of the Amazon KMS customer managed key you want to use to encrypt the CodeBuild project you specify in the `ProjectId` parameter. + ProjectId Type: String Description: (Required) The ID of the CodeBuild project whose build artifacts you want to encrypt. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `codebuild:BatchGetProjects` + `codebuild:UpdateProject` + `config:GetResourceConfigHistory` **Document Steps** + `aws:executeAwsApi` - Gathers the CodeBuild project name from the project ID. + `aws:executeAwsApi` - Enables encryption on the CodeBuild project you specify in the `ProjectId` parameter. + `aws:assertAwsResourceProperty` - Verifies that encryption has been enabled on the CodeBuild project. **Outputs** UpdateLambdaConfig.UpdateFunctionConfigurationResponse - Response from the `UpdateFunctionConfiguration` API call.