Batch job has privileged container

ID

aws_batch_job_privileged_container

Severity

high

Vendor

AWS

Resource

IAM

Tags

reachable

Description

Batch job has privileged container. When privileged=true, the container is given elevated privileges on the host container instance (similar to the root user). This parameter maps to Privileged in the Create a container section of the Docker Remote API and the –privileged option to docker run.

Learn more about this topic at AWS Batch Job properties.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: My Batch Job Definition
      community.aws.batch_job_definition:
        job_definition_name: My Batch Job Definition
        state: present
        type: container
        parameters:
          Param1: Val1
          Param2: Val2
        image: <Docker Image URL>
        vcpus: 1
        memory: 512
        command:
          - python
          - run_my_script.py
          - arg1
        job_role_arn: <Job Role ARN>
        attempts: 3
        privileged: true
      register: job_definition_create_result

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: My Batch Job Definition
      community.aws.batch_job_definition:
        job_definition_name: My Batch Job Definition
        state: present
        type: container
        parameters:
          Param1: Val1
          Param2: Val2
        image: <Docker Image URL>
        vcpus: 1
        memory: 512
        command:
          - python
          - run_my_script.py
          - arg1
        job_role_arn: <Job Role ARN>
        attempts: 3
      register: job_definition_create_result