For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-batch-job-definition-with-privileged-container-properties.md.
A documentation index is available at /llms.txt.
Batch job definitions must not enable privileged containers. Privileged mode weakens container isolation and can allow containers to access host resources or escalate privileges, increasing the risk of host compromise and lateral movement.
For Ansible, tasks using the community.aws.batch_job_definition or aws_batch_job_definition modules must not set the privileged parameter to true. The privileged setting should be omitted or explicitly set to false in the job definition’s container properties. Resources with privileged: true are flagged. Only enable privileged mode when absolutely required and after applying additional host hardening, access controls, and justification.
Secure example:
- name:Register Batch job definition without privileged modecommunity.aws.batch_job_definition:name:my-batch-jobcontainer_properties:image:my-image:latestvcpus:1memory:1024privileged:false
Compliant Code Examples
- name:My Batch Job Definitioncommunity.aws.batch_job_definition:job_definition_name:My Batch Job Definition without privilegestate:presenttype:containerparameters:Param1:Val1Param2:Val2privileged:falseimage:<Docker Image URL>vcpus:1memory:512command:- python- run_my_script.py- arg1job_role_arn:<Job Role ARN>attempts:3register:job_definition_create_result- name:My Batch Job Definition without explicit privilegecommunity.aws.batch_job_definition:job_definition_name:My Batch Job Definitionstate:presenttype:containerparameters:Param1:Val1Param2:Val2image:<Docker Image URL>vcpus:1memory:512command:- python- run_my_script.py- arg1job_role_arn:<Job Role ARN>attempts:3register:job_definition_create_result
