Batch job definition with privileged container properties This product is not supported for your selected
Datadog site . (
).
Id: cloudformation-aws-batch-job-definition-with-privileged-container-properties
Provider: AWS
Platform: CloudFormation
Severity: High
Category: Insecure Configurations
Learn More Description Running Batch job containers in privileged mode grants them elevated access to the host kernel and device nodes, which can enable container escape, host compromise, and lateral movement across your environment. The Privileged property under Properties.ContainerProperties in AWS::Batch::JobDefinition must be set to false. Resources with Privileged set to true will be flagged. If a job legitimately requires extra capabilities, avoid privileged mode and instead grant only the specific capabilities needed or run the workload on dedicated, hardened hosts.
Secure configuration example:
MyJobDefinition :
Type : AWS::Batch::JobDefinition
Properties :
ContainerProperties :
Image : my-image
Vcpus : 1
Memory : 1024
Privileged : false
Compliant Code Examples AWSTemplateFormatVersion : "2010-09-09"
Description : "BatchJobDefinition"
Resources :
JobDefinition :
Type : AWS::Batch::JobDefinition
Properties :
Type : container
JobDefinitionName : nvidia-smi
ContainerProperties :
MountPoints :
- ReadOnly : false
SourceVolume : nvidia
ContainerPath : /usr/local/nvidia
Volumes :
- Host :
SourcePath : /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name : nvidia
Command :
- nvidia-smi
Memory : 2000
Privileged : false
JobRoleArn : String
ReadonlyRootFilesystem : true
Vcpus : 2
Image : nvidia/cuda
AWSTemplateFormatVersion : "2010-09-09"
Description : "BatchJobDefinition"
Resources :
JobDefinition1 :
Type : AWS::Batch::JobDefinition
Properties :
Type : container
JobDefinitionName : nvidia-smi
ContainerProperties :
MountPoints :
- ReadOnly : false
SourceVolume : nvidia
ContainerPath : /usr/local/nvidia
Volumes :
- Host :
SourcePath : /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name : nvidia
Command :
- nvidia-smi
Memory : 2000
JobRoleArn : String
ReadonlyRootFilesystem : true
Vcpus : 2
Image : nvidia/cuda
{
"AWSTemplateFormatVersion" : "2010-09-09" ,
"Description" : "BatchJobDefinition" ,
"Resources" : {
"JobDefinition" : {
"Properties" : {
"Type" : "container" ,
"JobDefinitionName" : "nvidia-smi" ,
"ContainerProperties" : {
"Command" : [
"nvidia-smi"
],
"JobRoleArn" : "String" ,
"Vcpus" : 2 ,
"ReadonlyRootFilesystem" : true ,
"Image" : "nvidia/cuda" ,
"MountPoints" : [
{
"ReadOnly" : false ,
"SourceVolume" : "nvidia" ,
"ContainerPath" : "/usr/local/nvidia"
}
],
"Volumes" : [
{
"Host" : {
"SourcePath" : "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
},
"Name" : "nvidia"
}
],
"Memory" : 2000 ,
"Privileged" : false
}
},
"Type" : "AWS::Batch::JobDefinition"
}
}
}
Non-Compliant Code Examples AWSTemplateFormatVersion : "2010-09-09"
Description : "BatchJobDefinition"
Resources :
JobDefinition :
Type : AWS::Batch::JobDefinition
Properties :
Type : container
JobDefinitionName : nvidia-smi
ContainerProperties :
MountPoints :
- ReadOnly : false
SourceVolume : nvidia
ContainerPath : /usr/local/nvidia
Volumes :
- Host :
SourcePath : /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name : nvidia
Command :
- nvidia-smi
Memory : 2000
Privileged : true
JobRoleArn : String
ReadonlyRootFilesystem : true
Vcpus : 2
Image : nvidia/cuda
{
"AWSTemplateFormatVersion" : "2010-09-09" ,
"Description" : "BatchJobDefinition" ,
"Resources" : {
"JobDefinition" : {
"Type" : "AWS::Batch::JobDefinition" ,
"Properties" : {
"Type" : "container" ,
"JobDefinitionName" : "nvidia-smi" ,
"ContainerProperties" : {
"Memory" : 2000 ,
"Privileged" : true ,
"Vcpus" : 2 ,
"MountPoints" : [
{
"ReadOnly" : false ,
"SourceVolume" : "nvidia" ,
"ContainerPath" : "/usr/local/nvidia"
}
],
"Command" : [
"nvidia-smi"
],
"ReadonlyRootFilesystem" : true ,
"Image" : "nvidia/cuda" ,
"Volumes" : [
{
"Host" : {
"SourcePath" : "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
},
"Name" : "nvidia"
}
],
"JobRoleArn" : "String"
}
}
}
}
}
