Rule: CodeBuild project environments should not have privileged mode enabled
This rule ensures that CodeBuild project environments do not have privileged mode enabled.
| Rule | CodeBuild project environments should not have privileged mode enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description
The rule checks whether the AWS CodeBuild project environment has privileged mode enabled. Enabling privileged mode allows the build container to have elevated permissions on the host machine, which can potentially lead to security vulnerabilities. Following AWS Foundational Security Best Practices, privileged mode should not be enabled in CodeBuild projects unless absolutely necessary.
Remediation Steps
- 1.
Open the AWS Management Console - Firstly, log in to the AWS Management Console with your AWS account credentials.
- 2.
Navigate to CodeBuild - Select the "CodeBuild" service from the list of available services.
- 3.
Choose the project - From the CodeBuild dashboard, choose the project for which you want to modify the environment settings.
- 4.
Go to Project Configuration - In the project details page, click on the "Edit" button under the "Environment" section.
- 5.
Remove Privileged Mode - Scroll down to the "Additional configuration" section, and uncheck the "Privileged" option.
- 6.
Save Changes - After unchecking the "Privileged" option, click on the "Save" button to apply the changes.
Verification Steps
- 1.
Confirm code changes - Double-check that the changes you made in the CodeBuild project configuration successfully removed the privileged mode.
- 2.
Rebuild - Trigger a build or pipeline execution that uses the CodeBuild project with the updated configuration to verify its functionality.
- 3.
Review build logs - Monitor the build logs for any indications of errors or issues related to the removal of privileged mode.
Troubleshooting Steps
If you encounter any issues while performing the remediation steps, follow these troubleshooting steps:
- 1.
Review error messages - Carefully analyze any error messages encountered during the modification of the CodeBuild environment configuration.
- 2.
Check permissions - Ensure that you have the necessary permissions to make changes on the CodeBuild project. Contact your AWS account administrator if you encounter permission-related errors.
- 3.
Validate build spec file - If your build project utilizes a build specification file (buildspec.yml), check its content for any references to privileged mode. Remove or modify the corresponding entries in the buildspec file as needed.
- 4.
Contact AWS Support - If the issues persist or you require further assistance, contact AWS Support for guidance and troubleshooting.
Conclusion
By following these steps, you have successfully remediated the rule violation by disabling privileged mode for the AWS CodeBuild project environment. This adjustment aligns with AWS Foundational Security Best Practices and improves the overall security posture of your CodeBuild project.