Batch Job Definition With Privileged Container Properties

  • Query id: 76ddf32c-85b1-4808-8935-7eef8030ab36
  • Query name: Batch Job Definition With Privileged Container Properties
  • Platform: CloudFormation
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

Batch Job Definition should not have Privileged Container Properties
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  JobDefinition:
    Type: AWS::Batch::JobDefinition
    Properties:
      Type: container
      JobDefinitionName: nvidia-smi
      ContainerProperties:
        MountPoints:
          - ReadOnly: false
            SourceVolume: nvidia
            ContainerPath: /usr/local/nvidia
        Volumes:
          - Host:
              SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
            Name: nvidia
        Command:
          - nvidia-smi
        Memory: 2000
        Privileged: true
        JobRoleArn: String
        ReadonlyRootFilesystem: true
        Vcpus: 2
        Image: nvidia/cuda
Postitive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "BatchJobDefinition",
  "Resources": {
    "JobDefinition": {
      "Type": "AWS::Batch::JobDefinition",
      "Properties": {
        "Type": "container",
        "JobDefinitionName": "nvidia-smi",
        "ContainerProperties": {
          "Memory": 2000,
          "Privileged": true,
          "Vcpus": 2,
          "MountPoints": [
            {
              "ReadOnly": false,
              "SourceVolume": "nvidia",
              "ContainerPath": "/usr/local/nvidia"
            }
          ],
          "Command": [
            "nvidia-smi"
          ],
          "ReadonlyRootFilesystem": true,
          "Image": "nvidia/cuda",
          "Volumes": [
            {
              "Host": {
                "SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
              },
              "Name": "nvidia"
            }
          ],
          "JobRoleArn": "String"
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  JobDefinition:
    Type: AWS::Batch::JobDefinition
    Properties:
      Type: container
      JobDefinitionName: nvidia-smi
      ContainerProperties:
        MountPoints:
          - ReadOnly: false
            SourceVolume: nvidia
            ContainerPath: /usr/local/nvidia
        Volumes:
          - Host:
              SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
            Name: nvidia
        Command:
          - nvidia-smi
        Memory: 2000
        Privileged: false
        JobRoleArn: String
        ReadonlyRootFilesystem: true
        Vcpus: 2
        Image: nvidia/cuda
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  JobDefinition1:
    Type: AWS::Batch::JobDefinition
    Properties:
      Type: container
      JobDefinitionName: nvidia-smi
      ContainerProperties:
        MountPoints:
          - ReadOnly: false
            SourceVolume: nvidia
            ContainerPath: /usr/local/nvidia
        Volumes:
          - Host:
              SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
            Name: nvidia
        Command:
          - nvidia-smi
        Memory: 2000
        JobRoleArn: String
        ReadonlyRootFilesystem: true
        Vcpus: 2
        Image: nvidia/cuda
Negative test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "BatchJobDefinition",
  "Resources": {
    "JobDefinition": {
      "Properties": {
        "Type": "container",
        "JobDefinitionName": "nvidia-smi",
        "ContainerProperties": {
          "Command": [
            "nvidia-smi"
          ],
          "JobRoleArn": "String",
          "Vcpus": 2,
          "ReadonlyRootFilesystem": true,
          "Image": "nvidia/cuda",
          "MountPoints": [
            {
              "ReadOnly": false,
              "SourceVolume": "nvidia",
              "ContainerPath": "/usr/local/nvidia"
            }
          ],
          "Volumes": [
            {
              "Host": {
                "SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
              },
              "Name": "nvidia"
            }
          ],
          "Memory": 2000,
          "Privileged": false
        }
      },
      "Type": "AWS::Batch::JobDefinition"
    }
  }
}

Negative test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "BatchJobDefinition",
  "Resources": {
    "JobDefinition1": {
      "Type": "AWS::Batch::JobDefinition",
      "Properties": {
        "Type": "container",
        "JobDefinitionName": "nvidia-smi",
        "ContainerProperties": {
          "Memory": 2000,
          "JobRoleArn": "String",
          "ReadonlyRootFilesystem": true,
          "Vcpus": 2,
          "Image": "nvidia/cuda",
          "MountPoints": [
            {
              "SourceVolume": "nvidia",
              "ContainerPath": "/usr/local/nvidia",
              "ReadOnly": false
            }
          ],
          "Volumes": [
            {
              "Host": {
                "SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
              },
              "Name": "nvidia"
            }
          ],
          "Command": [
            "nvidia-smi"
          ]
        }
      }
    }
  }
}