Batch Job Definition With Privileged Container Properties
- Query id: 76ddf32c-85b1-4808-8935-7eef8030ab36
- Query name: Batch Job Definition With Privileged Container Properties
- Platform: CloudFormation
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
Batch Job Definition should not have Privileged Container Properties
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Memory: 2000
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
Vcpus: 2
Image: nvidia/cuda
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "BatchJobDefinition",
"Resources": {
"JobDefinition": {
"Type": "AWS::Batch::JobDefinition",
"Properties": {
"Type": "container",
"JobDefinitionName": "nvidia-smi",
"ContainerProperties": {
"Memory": 2000,
"Privileged": true,
"Vcpus": 2,
"MountPoints": [
{
"ReadOnly": false,
"SourceVolume": "nvidia",
"ContainerPath": "/usr/local/nvidia"
}
],
"Command": [
"nvidia-smi"
],
"ReadonlyRootFilesystem": true,
"Image": "nvidia/cuda",
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
},
"Name": "nvidia"
}
],
"JobRoleArn": "String"
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Memory: 2000
Privileged: false
JobRoleArn: String
ReadonlyRootFilesystem: true
Vcpus: 2
Image: nvidia/cuda
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
JobDefinition1:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Memory: 2000
JobRoleArn: String
ReadonlyRootFilesystem: true
Vcpus: 2
Image: nvidia/cuda
Negative test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "BatchJobDefinition",
"Resources": {
"JobDefinition": {
"Properties": {
"Type": "container",
"JobDefinitionName": "nvidia-smi",
"ContainerProperties": {
"Command": [
"nvidia-smi"
],
"JobRoleArn": "String",
"Vcpus": 2,
"ReadonlyRootFilesystem": true,
"Image": "nvidia/cuda",
"MountPoints": [
{
"ReadOnly": false,
"SourceVolume": "nvidia",
"ContainerPath": "/usr/local/nvidia"
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
},
"Name": "nvidia"
}
],
"Memory": 2000,
"Privileged": false
}
},
"Type": "AWS::Batch::JobDefinition"
}
}
}
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "BatchJobDefinition",
"Resources": {
"JobDefinition1": {
"Type": "AWS::Batch::JobDefinition",
"Properties": {
"Type": "container",
"JobDefinitionName": "nvidia-smi",
"ContainerProperties": {
"Memory": 2000,
"JobRoleArn": "String",
"ReadonlyRootFilesystem": true,
"Vcpus": 2,
"Image": "nvidia/cuda",
"MountPoints": [
{
"SourceVolume": "nvidia",
"ContainerPath": "/usr/local/nvidia",
"ReadOnly": false
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
},
"Name": "nvidia"
}
],
"Command": [
"nvidia-smi"
]
}
}
}
}
}