remove CodeBuildProjectPrivilegedModeDisabled

cdklabs · Nov 10, 2024 · 54380b4 · 54380b4
1 parent cec1cab
commit 54380b4
Show file tree

Hide file tree

Showing 6 changed files with 0 additions and 80 deletions.
diff --git a/RULES.md b/RULES.md
@@ -16,7 +16,6 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti
 | Rule ID            | Cause                                                                                                                                                  | Explanation                                                                                                                                                                                                                                                                                                                               |
 | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | AwsSolutions-APIG3 | The REST API stage is not associated with AWS WAFv2 web ACL.                                                                                           | AWS WAFv2 is a web application firewall that helps protect web applications and APIs from attacks by allowing configured rules to allow, block, or monitor (count) web requests based on customizable rules and conditions that are defined.                                                                                              |
-| AwsSolutions-CB3   | The CodeBuild project has privileged mode enabled.                                                                                                     | Privileged grants elevated rights to the system, which introduces additional risk. Privileged mode should only be set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails.                                                                        |
 | AwsSolutions-CB5   | The Codebuild project does not use images provided by the CodeBuild service or have a cdk-nag suppression rule explaining the need for a custom image. | Explaining differences/edits to Docker images helps operators better understand system dependencies.                                                                                                                                                                                                                                      |
 | AwsSolutions-CFR1  | The CloudFront distribution may require Geo restrictions.                                                                                              | Geo restriction may need to be enabled for the distribution in order to allow or deny a country in order to allow or restrict users in specific locations from accessing content.                                                                                                                                                         |
 | AwsSolutions-CFR2  | The CloudFront distribution may require integration with AWS WAF.                                                                                      | The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them.                                                                                                                                                                         |

diff --git a/src/packs/aws-solutions.ts b/src/packs/aws-solutions.ts
@@ -32,7 +32,6 @@ import {
 import {
   CodeBuildProjectKMSEncryptedArtifacts,
   CodeBuildProjectManagedImages,
-  CodeBuildProjectPrivilegedModeDisabled,
 } from '../rules/codebuild';
 import {
   CognitoUserPoolAdvancedSecurityModeEnforced,
@@ -1454,15 +1453,6 @@ export class AwsSolutionsChecks extends NagPack {
    * @param ignores list of ignores for the resource
    */
   private checkDeveloperTools(node: CfnResource): void {
-    this.applyRule({
-      ruleSuffixOverride: 'CB3',
-      info: 'The CodeBuild project has privileged mode enabled.',
-      explanation:
-        'Privileged grants elevated rights to the system, which introduces additional risk. Privileged mode should only be set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails.',
-      level: NagMessageLevel.WARN,
-      rule: CodeBuildProjectPrivilegedModeDisabled,
-      node: node,
-    });
     this.applyRule({
       ruleSuffixOverride: 'CB4',
       info: 'The CodeBuild project does not use an AWS KMS key for encryption.',

diff --git a/src/rules/codebuild/CodeBuildProjectPrivilegedModeDisabled.ts b/src/rules/codebuild/CodeBuildProjectPrivilegedModeDisabled.ts
diff --git a/src/rules/codebuild/index.ts b/src/rules/codebuild/index.ts
@@ -5,5 +5,4 @@ SPDX-License-Identifier: Apache-2.0
 export { default as CodeBuildProjectEnvVarAwsCred } from './CodeBuildProjectEnvVarAwsCred';
 export { default as CodeBuildProjectKMSEncryptedArtifacts } from './CodeBuildProjectKMSEncryptedArtifacts';
 export { default as CodeBuildProjectManagedImages } from './CodeBuildProjectManagedImages';
-export { default as CodeBuildProjectPrivilegedModeDisabled } from './CodeBuildProjectPrivilegedModeDisabled';
 export { default as CodeBuildProjectSourceRepoUrl } from './CodeBuildProjectSourceRepoUrl';
diff --git a/test/Packs.test.ts b/test/Packs.test.ts
@@ -39,7 +39,6 @@ describe('Check NagPack Details', () => {
     test('Pack contains expected warning and error rules', () => {
       const expectedWarnings = [
         'AwsSolutions-APIG3',
-        'AwsSolutions-CB3',
         'AwsSolutions-CB5',
         'AwsSolutions-CFR1',
         'AwsSolutions-CFR2',

diff --git a/test/rules/CodeBuild.test.ts b/test/rules/CodeBuild.test.ts
@@ -15,15 +15,13 @@ import {
   CodeBuildProjectEnvVarAwsCred,
   CodeBuildProjectKMSEncryptedArtifacts,
   CodeBuildProjectManagedImages,
-  CodeBuildProjectPrivilegedModeDisabled,
   CodeBuildProjectSourceRepoUrl,
 } from '../../src/rules/codebuild';
 
 const testPack = new TestPack([
   CodeBuildProjectEnvVarAwsCred,
   CodeBuildProjectKMSEncryptedArtifacts,
   CodeBuildProjectManagedImages,
-  CodeBuildProjectPrivilegedModeDisabled,
   CodeBuildProjectSourceRepoUrl,
 ]);
 let stack: Stack;
@@ -265,39 +263,6 @@ describe('Amazon CodeBuild', () => {
     });
   });
 
-  describe('CodeBuildProjectPrivilegedModeDisabled: Codebuild projects have privileged mode disabled', () => {
-    const ruleId = 'CodeBuildProjectPrivilegedModeDisabled';
-    test('Noncompliance 1', () => {
-      new Project(stack, 'rBuildProject', {
-        buildSpec: BuildSpec.fromObjectToYaml({
-          version: 0.2,
-          phases: {
-            build: {
-              commands: ['echo "foo"'],
-            },
-          },
-        }),
-        environment: {
-          privileged: true,
-        },
-      });
-      validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
-    });
-    test('Compliance', () => {
-      new Project(stack, 'rBuildProject', {
-        buildSpec: BuildSpec.fromObjectToYaml({
-          version: 0.2,
-          phases: {
-            build: {
-              commands: ['echo "foo"'],
-            },
-          },
-        }),
-      });
-      validateStack(stack, ruleId, TestType.COMPLIANCE);
-    });
-  });
-
   describe('CodeBuildProjectSourceRepoUrl: Codebuild projects with a GitHub or BitBucket source repository utilize OAUTH', () => {
     const ruleId = 'CodeBuildProjectSourceRepoUrl';
     test('Noncompliance 1', () => {