Cargando...
Cargando...
Compile, test, and package code at scale — no build servers to manage, ever.
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages ready for deployment. It scales automatically to handle multiple concurrent builds, eliminating the need to provision, manage, or scale your own build servers. CodeBuild charges only for the compute time consumed during builds, making it highly cost-effective for teams of any size.
Automate the build and test phase of a CI/CD pipeline without managing infrastructure — replacing self-hosted Jenkins, TeamCity, or Bamboo servers with a pay-per-use, auto-scaling managed service.
Use When
Avoid When
Fully managed — no build server provisioning
AWS manages all underlying infrastructure; you define the build environment and buildspec
Auto-scaling concurrent builds
Scales automatically up to account limits; no manual scaling configuration needed
buildspec.yml — declarative build specification
Defines phases: install, pre_build, build, post_build with commands, env vars, artifacts, and cache
Docker image builds and ECR push
CodeBuild environments support Docker; use privileged mode to build Docker-in-Docker
Privileged mode for Docker-in-Docker
Must explicitly enable privileged mode in the project settings to run Docker commands inside a build container
VPC integration
Builds can run inside a customer VPC to access private resources
Custom build environments (custom Docker images)
Use any Docker image from ECR or Docker Hub as the build environment; AWS provides curated managed images
S3 artifact caching
Cache dependencies (e.g., Maven .m2, npm node_modules) in S3 to speed up builds
Local caching (Docker layer, source, custom)
Faster than S3 cache but ephemeral — not guaranteed across builds
Secrets Manager and SSM Parameter Store integration
Retrieve secrets at build time via the IAM execution role
CloudWatch Logs integration
Build logs streamed to CloudWatch Logs by default; can also store in S3
CloudWatch Metrics and EventBridge events
Build state changes (SUCCEEDED, FAILED, IN_PROGRESS) emit EventBridge events for automation
GitHub / Bitbucket webhook triggers
CodeBuild can trigger builds automatically on push, pull request, or tag events via webhooks
Test reporting (test report groups)
Publish JUnit/Cucumber/NUnit test results to CodeBuild test reports for trend analysis
Code coverage reporting
Publish code coverage data (JaCoCo, SimpleCov, Clover, etc.) to CodeBuild coverage reports
Batch builds
Run multiple builds in parallel or sequentially as a single batch build job — useful for matrix testing across OS/runtime versions
ARM / Graviton compute
Build ARM-native binaries or container images using Graviton-based build environments
Lambda compute type
Ultra-fast startup for small builds; billed per second with lower minimum cost
KMS encryption for artifacts and cache
Artifacts stored in S3 can be encrypted with SSE-KMS using a customer-managed key
IAM role-based permissions (service role)
CodeBuild assumes a service role during builds; attach only the minimum required permissions
Cross-account builds
CodeBuild can access resources in other accounts via IAM cross-account roles
CodePipeline integration as Build action
CodeBuild is the native build provider for CodePipeline Build stage actions
Source credential management (OAuth, personal access tokens)
Store GitHub/Bitbucket credentials securely in CodeBuild for webhook and source access
CI/CD Pipeline Build Stage
high freqCodePipeline invokes CodeBuild as the Build action in a pipeline stage. CodePipeline passes input artifacts (source code from S3) to CodeBuild, which compiles and tests the code, then outputs build artifacts back to S3 for downstream Deploy stages. This is the most common CodeBuild integration and the dominant exam pattern.
Artifact Storage and Source Input
high freqCodeBuild reads source code from S3 (as a ZIP archive) and writes compiled build artifacts back to S3. S3 versioning ensures artifact traceability. Encryption via SSE-KMS protects sensitive build outputs. Used both standalone and within CodePipeline.
Docker Image Build and Push
high freqCodeBuild (with privileged mode enabled) builds Docker images from a Dockerfile in the source repository and pushes the resulting image to ECR. The buildspec post_build phase runs 'docker push'. The CodeBuild service role must have ecr:GetAuthorizationToken and ecr:BatchCheckLayerAvailability permissions.
Source Trigger and Build
high freqCodeCommit repository changes trigger CodeBuild builds via EventBridge rules or CodePipeline source stages. CodeBuild pulls the latest commit, runs the buildspec, and produces artifacts. This is the canonical AWS-native CI pattern.
Build-then-Deploy Pipeline
high freqCodeBuild produces a deployment package (appspec.yml + application files) stored in S3. CodeDeploy then deploys this artifact to EC2 instances, Lambda functions, or ECS services. Often orchestrated end-to-end by CodePipeline.
Serverless Deployment Build
high freqCodeBuild packages Lambda function code and dependencies (e.g., using SAM build or Serverless Framework), then stores the deployment package in S3. CodePipeline or CodeDeploy then deploys the Lambda function. Also used to run Lambda-backed custom actions in pipelines.
Secure Secrets Injection
high freqSensitive build-time credentials (API keys, database passwords, signing certificates) are stored in Secrets Manager. The buildspec references them as environment variables with type SECRETS_MANAGER. CodeBuild retrieves the secret at build time using the service role — secrets never appear in source code or plaintext logs.
Private Resource Access
high freqCodeBuild runs inside a customer VPC to access private resources such as RDS databases for integration testing, ElastiCache clusters, or internal microservices. Requires VPC ID, subnet IDs, and security group configuration on the CodeBuild project. A NAT Gateway is needed for internet access from within the VPC.
Build Monitoring and Alerting
high freqCodeBuild publishes build metrics (SucceededBuilds, FailedBuilds, Duration) to CloudWatch. Build logs stream to CloudWatch Logs. CloudWatch Alarms trigger SNS notifications on build failures. EventBridge rules react to build state change events for automated remediation.
Private Package Repository Integration
high freqCodeBuild resolves private npm, Maven, PyPI, or NuGet packages from CodeArtifact during the build. The buildspec configures the package manager to use a CodeArtifact repository endpoint. The service role needs codeartifact:GetAuthorizationToken and related permissions.
CodeBuild is a BUILD service — it compiles, tests, and packages code. It is NOT a repository (that's CodeCommit), NOT a deployment service (that's CodeDeploy), and NOT a pipeline orchestrator (that's CodePipeline). In exam scenarios, map the requirement to the correct service in the CI/CD chain.
To build Docker images inside CodeBuild, you MUST enable 'privileged mode' on the build project. Without it, Docker daemon commands will fail. This is a one-checkbox setting that is frequently tested in container deployment scenarios.
NEVER store secrets as plaintext environment variables in CodeBuild. The correct answer is always SSM Parameter Store (SecureString type) or AWS Secrets Manager, referenced in the buildspec with type PARAMETER_STORE or SECRETS_MANAGER. Plaintext env vars are visible in build logs and the console.
When CodeBuild runs inside a VPC (for private resource access), it loses internet connectivity by default. You MUST add a NAT Gateway in the VPC for CodeBuild to reach external endpoints (GitHub, Docker Hub, public ECR, package registries). This is a classic 'build fails after adding VPC' scenario on exams.
The buildspec.yml phases execute in order: install → pre_build → build → post_build. A failure in any phase (except post_build) marks the build as FAILED. post_build ALWAYS runs, even if build fails — use it for cleanup or notifications. Know which phase to put Docker push commands (post_build).
Know the CI/CD service boundaries: CodeCommit = source repo, CodeBuild = build/test, CodeDeploy = deployment, CodePipeline = orchestration. Exam questions test whether you assign the right service to the right job.
Privileged mode MUST be enabled to build Docker images inside CodeBuild. Without it, all Docker daemon commands fail. This is a one-checkbox fix that appears repeatedly in container deployment exam scenarios.
CodeBuild in a VPC loses internet access — add a NAT Gateway for external connectivity. Secrets must use SSM Parameter Store or Secrets Manager, never plaintext env vars. These two security/networking facts are tested in almost every DOP-C02 and DVA-C02 CodeBuild question.
CodeBuild integrates with CodePipeline as a 'Build' action provider. CodePipeline passes input artifacts via S3 to CodeBuild and receives output artifacts back. The CodeBuild project does NOT need to know about CodePipeline — CodePipeline orchestrates the invocation.
CodeBuild supports batch builds — a single build job that fans out into multiple parallel or sequential builds (e.g., test matrix across Node 14/16/18). This is the AWS-native answer to matrix build strategies, not running multiple separate pipeline executions.
Build caching significantly reduces build times and costs. Use S3 cache for dependency directories (e.g., ~/.m2 for Maven, node_modules for npm). Use local Docker layer cache for container image builds. Exam questions about 'slow builds' or 'reducing build costs' often have caching as the correct answer.
CodeBuild test reports allow you to publish JUnit, Cucumber, NUnit, TestNG, and Visual Studio test result files. This enables trend analysis of test pass/fail rates over time in the CodeBuild console — without needing a separate test reporting tool.
CodeBuild can be triggered WITHOUT CodePipeline — directly via the AWS CLI, SDK, console, EventBridge rules, or GitHub/Bitbucket webhooks. Exam questions sometimes describe a simple CI scenario where CodePipeline is overkill; CodeBuild standalone with a webhook is the right answer.
CodeBuild uses a SERVICE ROLE (IAM role) that must have permissions for every resource the build accesses — S3, ECR, SSM, Secrets Manager, VPC, CloudWatch Logs, etc. 'Build fails with Access Denied' exam scenarios are almost always fixed by adding permissions to the CodeBuild service role, not the user's role.
For the DEA-C01 (Data Engineer) exam: CodeBuild can be used in data pipelines to run ETL preprocessing scripts, data validation jobs, or build custom Glue/EMR job artifacts before deployment. It is not a data processing engine itself but an automation layer.
Common Mistake
CodeBuild is a complete CI/CD solution — I can use it alone to manage my entire software delivery pipeline from source to production.
Correct
CodeBuild handles ONLY the build and test phase. A complete AWS CI/CD pipeline requires CodeCommit (or GitHub) for source, CodeBuild for build/test, CodeDeploy for deployment, and CodePipeline to orchestrate all stages. Each service has a distinct, non-overlapping responsibility.
This is the most common conceptual error. Exam questions frequently describe a full pipeline scenario and ask which service handles which responsibility. Remember: Source → CodeCommit | Build → CodeBuild | Deploy → CodeDeploy | Orchestrate → CodePipeline.
Common Mistake
CodeBuild and CodeCommit are the same type of service — both deal with code, so they're interchangeable.
Correct
CodeCommit is a managed Git repository service (source control). CodeBuild is a managed build service (compilation and testing). They serve completely different purposes. CodeCommit stores code; CodeBuild transforms code into deployable artifacts.
Exam questions deliberately use both services in the same scenario to test whether candidates understand the distinction. The keyword 'repository' or 'version control' always points to CodeCommit; 'compile', 'test', or 'build artifact' always points to CodeBuild.
Common Mistake
I need to enable privileged mode for all CodeBuild projects to get better performance.
Correct
Privileged mode is specifically required ONLY when the build process itself needs to run Docker commands (i.e., building Docker images inside the build container — Docker-in-Docker). It is a security escalation and should only be enabled when explicitly needed. Most builds (compiling Java, running Python tests, etc.) do NOT require privileged mode.
Enabling privileged mode unnecessarily violates least-privilege security principles and is a security anti-pattern. Exam questions in the security domain test whether candidates know to limit privileged mode to Docker image build scenarios only.
Common Mistake
Storing database passwords or API keys as environment variables in CodeBuild is fine because they're only visible to my team.
Correct
Plaintext environment variables in CodeBuild are visible in the AWS console, in build logs, and to anyone with IAM access to the CodeBuild project. The correct approach is to reference secrets from SSM Parameter Store (type: PARAMETER_STORE) or Secrets Manager (type: SECRETS_MANAGER) in the buildspec, so the actual secret value is never stored in the project configuration.
Security misconfigurations around secrets are heavily tested in DOP-C02 and DVA-C02. The exam will present a scenario with plaintext secrets and ask how to remediate it — the answer is always SSM SecureString or Secrets Manager, not encryption of the environment variable field.
Common Mistake
Adding a CodeBuild project to a VPC automatically gives it access to the internet AND private resources.
Correct
When CodeBuild runs inside a VPC, it uses your VPC's routing rules. Private subnets have no internet access by default. You must add a NAT Gateway (in a public subnet) and route private subnet traffic through it for CodeBuild to reach external internet resources. Without NAT, builds in a VPC will fail to download packages, pull images, or reach external APIs.
This 'VPC breaks my build' scenario is a classic exam trap. The symptom is: builds worked before VPC was added, now they time out downloading dependencies. The fix is a NAT Gateway — not removing the VPC, not using an Internet Gateway directly on the private subnet.
Common Mistake
CodeBuild is like CodeArtifact — both deal with packages and dependencies, so they serve the same purpose.
Correct
CodeBuild is a build execution service (runs your build commands). CodeArtifact is a managed artifact/package repository (stores and serves npm, Maven, PyPI, NuGet packages). They are complementary: CodeBuild USES CodeArtifact as a package source during builds. They are not substitutes for each other.
The exam (especially DOP-C02) tests understanding of the entire developer tools ecosystem. A question about 'hosting private npm packages' requires CodeArtifact, not CodeBuild. A question about 'running npm install and tests' requires CodeBuild.
Common Mistake
The post_build phase in buildspec.yml only runs if the build phase succeeds.
Correct
The post_build phase ALWAYS runs regardless of whether the build phase succeeded or failed. This makes it ideal for cleanup tasks, sending notifications, or pushing partial artifacts. However, the overall build status will still reflect the failure from the build phase.
This is a subtle but tested behavior. Candidates who assume post_build is conditional may incorrectly design notification or cleanup logic. Use post_build for 'always run' tasks; use build phase success/failure conditions for conditional logic.
The 4 C's of AWS CI/CD — Commit (CodeCommit) → Compile (CodeBuild) → Coordinate (CodePipeline) → Complete/Deploy (CodeDeploy). Each C does exactly one job.
buildspec PHASES in order: 'I Prefer Building Post-deadline' = Install → Pre_build → Build → Post_build
VPC + CodeBuild = 'No Net Without NAT' — adding a VPC removes internet access; NAT Gateway restores it
Privileged mode = Docker mode. Only enable it when you're building Docker INSIDE Docker. Nothing else needs it.
Secrets in CodeBuild: 'Never Plain, Always Param or Secret' — plaintext = bad; SSM Parameter Store or Secrets Manager = good
CertAI Tutor · DOP-C02, DVA-C02, SAA-C03, SAP-C02, DEA-C01, CLF-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns