PlatformResourcesSign inSign Up

Ensure AWS Batch Job is not defined as a privileged container

Error: AWS Batch Job is defined as a privileged container

Bridgecrew Policy ID: BC_AWS_GENERAL_125
Checkov Check ID: CKV_AWS_210
Severity: LOW

Suggest Edits

AWS Batch Job is defined as a privileged container

Description

By defining your AWS Batch job as a privileged container, you can ensure that it has the necessary privileges to access system devices, such as GPUs or hardware accelerators, modify system-level configuration files, and more.
That said, making a job overly permissive might increase the potential security risks, as the job will have more access to sensitive system resourcesץ

Fix - Runtime

Fix - Buildtime

Terraform

resource "aws_batch_job_definition" "pass" {
  name = "tf_test_batch_job_definition"
  type = "container"

  container_properties = <<CONTAINER_PROPERTIES
{
    "command": ["ls", "-la"],
    "image": "busybox",
    "memory": 1024,
    "vcpus": 1,
    "privileged": false,
    "volumes": [
      {
        "host": {
          "sourcePath": "/tmp"
        },
        "name": "tmp"
      }
    ],
    "environment": [
        {"name": "VARNAME", "value": "VARVAL"}
    ],
    "mountPoints": [
        {
          "sourceVolume": "tmp",
          "containerPath": "/tmp",
          "readOnly": false
        }
    ],
    "ulimits": [
      {
        "hardLimit": 1024,
        "name": "nofile",
        "softLimit": 1024
      }
    ]
}
CONTAINER_PROPERTIES
}

Updated 9 months ago