We are building docker images in CodeBuild. This works fine but we have a "HIGH" security hub finding because we had to enable priviledged mode:
CodeBuild.5 CodeBuild project environments should not have privileged mode enabled
I'm currently looking for a way to build docker images without using priviledged mode. I saw this URL from AWS where they are also using priviledged mode.
How can I build docker images without using this mode so we are compliant with the security hub rules?
On
You can do it throughout aws cli.
aws codebuild update-project --name "my-project-name" --environment "{\"type\": \"LINUX_CONTAINER\",\"image\": \"aws/codebuild/amazonlinux2-x86_64-standard:2.0\",\"computeType\": \"BUILD_GENERAL1_SMALL\",\"privilegedMode\": false}" --profile my-aws-profile-nonprod
There is no way (for now) to do it throughout AWS console.
But you can see your configuration here on console:
AWS Config > Resources > my-project-name > View Configuration Item (JSON)
and you can check the result afterwards.
if we refer to AWS guide https://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html
since you're building docker image, codebuild would require privilegedMode=true
@ekeyse has shared the cdk doc that privilege mode is required otherwise it will fail
I personally think that security hub is informing you that there is codebuild project running on privilege mode, you may ignore if that is intended