Encrypt build outputs using a customer managed key - AWS CodeBuild

Encrypt build outputs using a customer managed key

If you follow the steps in Getting started using the console to access AWS CodeBuild for the first time, you most likely do not need the information in this topic. However, as you continue using CodeBuild, you might want to do things such as encrypt build artifacts.

For AWS CodeBuild to encrypt its build output artifacts, it needs access to a KMS key. By default, CodeBuild uses the AWS managed key for Amazon S3 in your AWS account.

If you do not want to use the AWS managed key, you must create and configure a customer managed key yourself. This section describes how to do this with the IAM console.

For information about customer managed keys, see AWS Key Management Service Concepts and Creating Keys in the AWS KMS Developer Guide.

To configure a customer managed key for use by CodeBuild, follow the instructions in the "How to Modify a Key Policy" section of Modifying a Key Policy in the AWS KMS Developer Guide. Then add the following statements (between ### BEGIN ADDING STATEMENTS HERE ### and ### END ADDING STATEMENTS HERE ###) to the key policy. Ellipses (...) are used for brevity and to help you locate where to add the statements. Do not remove any statements, and do not type these ellipses into the key policy.

{ "Version": "2012-10-17", "Id": "...", "Statement": [ ### BEGIN ADDING STATEMENTS HERE ### { "Sid": "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "s3.region-ID.amazonaws.com", "kms:CallerAccount": "account-ID" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-ID:role/CodeBuild-service-role" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, ### END ADDING STATEMENTS HERE ### { "Sid": "Enable IAM User Permissions", ... }, { "Sid": "Allow access for Key Administrators", ... }, { "Sid": "Allow use of the key", ... }, { "Sid": "Allow attachment of persistent resources", ... } ] }
  • region-ID represents the ID of the AWS region where the Amazon S3 buckets associated with CodeBuild are located (for example, us-east-1).

  • account-ID represents the ID of the of the AWS account that owns the customer managed key.

  • CodeBuild-service-role represents the name of the CodeBuild service role you created or identified earlier in this topic.

Note

To create or configure a customer managed key through the IAM console, you must first sign in to the AWS Management Console by using one of the following: