Ensure AWS Batch Job is not defined as a privileged container
Error: AWS Batch Job is defined as a privileged container
Bridgecrew Policy ID: BC_AWS_GENERAL_125
Checkov Check ID: CKV_AWS_210
Severity: LOW
AWS Batch Job is defined as a privileged container
Description
By defining your AWS Batch job as a privileged container, you can ensure that it has the necessary privileges to access system devices, such as GPUs or hardware accelerators, modify system-level configuration files, and more.
That said, making a job overly permissive might increase the potential security risks, as the job will have more access to sensitive system resourcesץ
Fix - Runtime
Fix - Buildtime
Terraform
resource "aws_batch_job_definition" "pass" {
name = "tf_test_batch_job_definition"
type = "container"
container_properties = <<CONTAINER_PROPERTIES
{
"command": ["ls", "-la"],
"image": "busybox",
"memory": 1024,
"vcpus": 1,
"privileged": false,
"volumes": [
{
"host": {
"sourcePath": "/tmp"
},
"name": "tmp"
}
],
"environment": [
{"name": "VARNAME", "value": "VARVAL"}
],
"mountPoints": [
{
"sourceVolume": "tmp",
"containerPath": "/tmp",
"readOnly": false
}
],
"ulimits": [
{
"hardLimit": 1024,
"name": "nofile",
"softLimit": 1024
}
]
}
CONTAINER_PROPERTIES
}
Updated 9 months ago