For AWS CodeBuild, when using a custom container image stored in ECR and the
project service role for the credentials to pull the image, the default IAM
policy attached to the role to allow pulling the container was over-privileged
and allowed the CodeBuild container to overwrite its own build image.
An attacker with the ability to read the container credentials from the meta-data
service or run commands within the container could thereby overwrite the container to gain
persistence within the CodeBuild project.
AWS CodeBuild, AWS ECR
For any CodeBuild projects created before July 26, 2022, which are using a custom container image,
update those project’s IAM policies to match the updated policy.
Please refer to the CodeBuild documentation for updating your project’s IAM policies.