Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Privileged Mode for CodeBuild Project Environments

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Privileged Mode is disabled for your Amazon CodeBuild project environments. Configuring CodeBuild project environments with Privileged Mode can potentially allow unauthorized access to sensitive resources and increase the risk of malicious code execution.

Security
Reliability
Operational
excellence

Adhering to AWS cloud security best practices is vital in preventing unwanted privilege escalation, which may otherwise result in tampering or loss of critical cloud resources. As a precautionary measure, it is recommended to disable the Privileged Mode at the CodeBuild project environment level, except when building Docker containers where using the feature is required.

Some builds require Privileged Mode. Amazon CodeBuild project environments that are using Docker containers are allowed to use the Privileged Mode.

Audit

To determine if the Privileged Mode is disabled for Amazon CodeBuild project environments, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.

  3. In the left navigation panel, under Build - CodeBuild, choose Build projects.

  4. Click on the name (link) of the CodeBuild build project that you want to examine.

  5. Select the Build details tab to access the configuration information available for the selected build project.

  6. In the Environment section, check the Privileged setting status. If the setting status is set to True, the Privileged Mode is not disabled for the selected Amazon CodeBuild project environment.

  7. Repeat steps no. 4 – 6 for each Amazon CodeBuild build project available within your AWS cloud account.

Using AWS CLI

  1. Run list-projects command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon CodeBuild build project created in your AWS cloud account:

    aws codebuild list-projects 
  --region us-east-1 
  --output table 
  --query 'projects'

  2. The command output should return a table with the requested project names:

    --------------------------
|      ListProjects      |
+------------------------+
|  cc-repo-code-project  |
|  cc-webapp-ai-project  |
+------------------------+

  3. Run batch-get-projects command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to examine as the identifier parameter and custom query filters to describe the Privileged Mode status available for the selected build project environment:

    aws codebuild batch-get-projects 
  --names cc-repo-code-project 
  --query 'projects[*].environment.privilegedMode'

  4. The command output should return the Privileged Mode status (true for enabled, false for disabled):

    [
	true
]

    If the batch-get-projects command output returns true, as shown in the output example above, the Privileged Mode is not disabled for the selected Amazon CodeBuild project environment.

  5. Repeat steps no. 3 and 4 for each Amazon CodeBuild build project deployed within your AWS cloud account.

Remediation / Resolution

To disable Privileged Mode for your Amazon CodeBuild build project environments, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Developer Tools console at https://console.aws.amazon.com/codesuite.

  3. In the left navigation panel, under Build - CodeBuild, choose Build projects.

  4. Click on the name (link) of the CodeBuild build project that you want to configure.

  5. Select the Build details tab to access the configuration information available for the selected build project.

  6. Choose Edit from the Environment section to modify the environment configuration available for the selected build project.

  7. On the Edit Environment page, choose Additional configuration, select Override image, and disable de Privileged Mode for the selected build project environment by deselecting the Enable this flag if you want to build Docker images or want your builds to get elevated privileges checkbox under Privileged. Choose Update environment to apply the configuration changes.

  8. Repeat steps no. 4 – 7 for each Amazon CodeBuild build project that you want to configure, available in your AWS cloud account.

Using AWS CLI

  1. Run update-project command (OSX/Linux/UNIX) using the name of the Amazon CodeBuild build project that you want to configure as the identifier parameter, to update the environment configuration in order to disable Privileged Mode for the selected build project environment. Set "privilegedMode" to false to disable the feature:

    aws codebuild update-project 
  --name cc-repo-code-project 
  --environment '{
        "type": "ARM_CONTAINER",
        "image": "aws/codebuild/amazonlinux2-aarch64-standard:2.0",
        "computeType": "BUILD_GENERAL1_SMALL",
        "privilegedMode": false
    }'

  2. The command output should return the information available for the modified CodeBuild build project:

    {
	"project": {
		"name": "cc-repo-code-project",
		"arn": "arn:aws:codebuild:us-east-1:123456789012:project/cc-repo-code-project",
		"source": {
			"type": "S3",
			"location": "trendmicro.com/webapp/",
			"insecureSsl": false
		},
		"secondarySources": [],
		"secondarySourceVersions": [],
		"artifacts": {
			"type": "S3",
			"location": "trendmicro.com",
			"path": "",
			"namespaceType": "NONE",
			"name": "cc-repo-code-project",
			"packaging": "NONE",
			"overrideArtifactName": false,
			"encryptionDisabled": false
		},
		"secondaryArtifacts": [],
		"cache": {
			"type": "NO_CACHE"
		},
		"environment": {
			"type": "ARM_CONTAINER",
			"image": "aws/codebuild/amazonlinux2-aarch64-standard:2.0",
			"computeType": "BUILD_GENERAL1_SMALL",
			"environmentVariables": [],
			"privilegedMode": false,
			"imagePullCredentialsType": "CODEBUILD"
		},
		"serviceRole": "arn:aws:iam::123456789012:role/service-role/new-service-role-cb",
		"timeoutInMinutes": 60,
		"queuedTimeoutInMinutes": 480,
		"encryptionKey": "arn:aws:kms:us-east-1:123456789012:alias/aws/s3",
		"tags": [],
		"created": "2023-08-04T14:43:16.257000+00:00",
		"lastModified": "2023-08-04T15:55:50.670000+00:00",
		"vpcConfig": {
			"vpcId": "vpc-0abcd1234abcd1234",
			"subnets": [
				"subnet-0abcd1234abcd1234",
				"subnet-01234abcd1234abcd"
			],
			"securityGroupIds": [
				"sg-01234abcd1234abcd"
			]
		},
		"badge": {
			"badgeEnabled": false
		},
		"logsConfig": {
			"s3Logs": {
				"status": "ENABLED",
				"location": "cc-s3-log-bucket",
				"encryptionDisabled": false
			}
		},
		"projectVisibility": "PRIVATE"
	}
}

  3. Repeat steps no. 1 and 2 for each Amazon CodeBuild build project that you want to configure, available within your AWS cloud account.

References

Publication date Sep 1, 2023

Related CodeBuild rules