By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use AWS CodeBuild to create docker images safely (without privileged mode enabled)

0

We were able to use AWS CodeBuild to create our application in a docker image. It works great, but requires that we have the "Enable this flag if you want to build Docker images or want your builds to get elevated privileges".
Enter image description here This triggers a high-level alert in AWS Security Hub saying "CodeBuild project environments should not have privileged mode enabled".
Enter image description here And the remediation guidance for this alert is pretty much not to do it. Enter image description here

We would like to safely use CodeBuild to build our docker images. Is this not possible/recommended? ...Is there a recommended way to do this like properly isolating the CodeBuild in its own environment? Or is there a work around so we can do this without enabling privileged mode? What are our options?

Topics
Developer ToolsSecurity, Identity, & Compliance
Tags
AWS CodeBuildAWS Security Hub
Language
English
Glenn
asked 4 months ago359 views
2 Answers
1

This control checks whether an AWS CodeBuild project environment has privileged mode enabled or disabled. The control fails if an CodeBuild project environment has privileged mode enabled.

By default, Docker containers do not allow access to any devices. Privileged mode grants a build project's Docker container access to all devices. Setting privilegedMode with value true permits the Docker daemon to run inside a Docker container. The Docker daemon listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. This parameter should only be set to true if the build project is used to build Docker images. Otherwise, this setting should be disabled to prevent unintended access to Docker APIs as well as the container's underlying hardware. Setting privilegedMode to false helps protect critical resources from tampering and deletion.

If your use case is legit, you may proceed to suppress findings or disable control whichever suits you best.

[+] https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-5

[+] https://docs.aws.amazon.com/securityhub/latest/userguide/finding-workflow-status.html

profile picture
Navya Shukla
answered 4 months ago
0

I am not sure it's possible, also refer to this article: https://stackoverflow.com/questions/73319310/docker-build-in-codebuild-without-priviledged-mode

profile picture
myronix88
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content