# CodeBuild
AWS Systems Manager Automation provides predefined runbooks for AWS CodeBuild. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [`AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK`](automation-aws-codebuild-cmk.md)
+ [`AWSConfigRemediation-DeleteAccessKeysFromCodeBuildProject`](automation-aws-delete-cb-keys.md)
# `AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK`
**Description**
The `AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK` runbook encrypts an AWS CodeBuild (CodeBuild) project's build artifacts using the AWS Key Management Service (AWS KMS) customer managed key you specify. AWS Config must be enabled in the AWS Region where you run this automation.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ KMSKeyId
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS KMS customer managed key you want to use to encrypt the CodeBuild project you specify in the `ProjectId` parameter.
+ ProjectId
Type: String
Description: (Required) The ID of the CodeBuild project whose build artifacts you want to encrypt.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `codebuild:BatchGetProjects`
+ `codebuild:UpdateProject`
+ `config:GetResourceConfigHistory`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the CodeBuild project name from the project ID.
+ `aws:executeAwsApi` - Enables encryption on the CodeBuild project you specify in the `ProjectId` parameter.
+ `aws:assertAwsResourceProperty` - Verifies that encryption has been enabled on the CodeBuild project.
**Outputs**
UpdateLambdaConfig.UpdateFunctionConfigurationResponse - Response from the `UpdateFunctionConfiguration` API call.
# `AWSConfigRemediation-DeleteAccessKeysFromCodeBuildProject`
**Description**
The `AWSConfigRemediation-DeleteAccessKeysFromCodeBuildProject` runbook deletes the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables from the AWS CodeBuild (CodeBuild) project you specify. AWS Config must be enabled in the AWS Region where you run this automation.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteAccessKeysFromCodeBuildProject)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ ResourceId
Type: String
Description: (Required) The ID of the CodeBuild project whose access key environment variables you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `config:GetResourceConfigHistory`
+ `codebuild:BatchGetProjects`
+ `codebuild:UpdateProject`
**Document Steps**
+ `aws:executeScript` - Deletes the access key environment variables for the CodeBuild project specified in the `ResourceId` parameter.