AWS Batch Job is defined as a privileged container
Description
By defining your AWS Batch job as a privileged container, you can ensure that it has the necessary privileges to access system devices, such as GPUs or hardware accelerators, modify system-level configuration files, and more. That said, making a job overly permissive might increase the potential security risks, as the job will have more access to sensitive system resources
Remediation
Terraform
[source,go] resource "aws_batch_job_definition" "pass" { name = "tf_test_batch_job_definition" type = "container"
container_properties = <<CONTAINER_PROPERTIES { "command": ["ls", "-la"], "image": "busybox", "memory": 1024, "vcpus": 1, "privileged": false, "volumes": [ { "host": { "sourcePath": "/tmp" }, "name": "tmp" } ], "environment": [ {"name": "VARNAME", "value": "VARVAL"} ], "mountPoints": [ { "sourceVolume": "tmp", "containerPath": "/tmp", "readOnly": false } ], "ulimits": [ { "hardLimit": 1024, "name": "nofile", "softLimit": 1024 } ] } CONTAINER_PROPERTIES }
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0258 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_210 |