turbot/aws_compliance
Loading controls...

Control: 5 CodeBuild project environments should not have privileged mode enabled

Description

This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled.

By default, Docker containers do not allow access to any devices. Privileged mode grants a build project's Docker container access to all devices. Setting privilegedMode with value true enables running the Docker daemon inside a Docker container. The Docker daemon listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. This parameter should only be set to true if the build project is used to build Docker images. Otherwise, this setting should be disabled to prevent unintended access to Docker APIs as well as the container’s underlying hardware as unintended access to privilegedMode may risk malicious tampering or deletion of critical resources.

Remediation

For more information on how to configure CodeBuild project environment settings, see Create a build project (console)in the CodeBuild User Guide

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_codebuild_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_codebuild_5 --share

SQL

This control uses a named query:

codebuild_project_environment_privileged_mode_disabled

Tags