Overprivileged CodeBuild default ECR IAM policy

Published Sat, Feb 25th, 2023


For AWS CodeBuild, when using a custom container image stored in ECR and the project service role for the credentials to pull the image, the default IAM policy attached to the role to allow pulling the container was over-privileged and allowed the CodeBuild container to overwrite its own build image. An attacker with the ability to read the container credentials from the meta-data service or run commands within the container could thereby overwrite the container to gain persistence within the CodeBuild project.

Affected Services

AWS CodeBuild, AWS ECR


For any CodeBuild projects created before July 26, 2022, which are using a custom container image, update those project’s IAM policies to match the updated policy. Please refer to the CodeBuild documentation for updating your project’s IAM policies.

Tracked CVEs

No tracked CVEs


Disclosure Date
Mon, Jul 4th, 2022
Exploitablity Period
Until July 26, 2022
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Will Deane, ASX Consulting