Batch Job Definition With Privileged Container Properties

• Query id: defe5b18-978d-4722-9325-4d1975d3699f
• Query name: Batch Job Definition With Privileged Container Properties
• Platform: Ansible
• Severity: High
• Category: Insecure Configurations
• CWE: 250
• URL: Github

Description

Batch Job Definition should not have Privileged Container Properties
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: My Batch Job Definition
  community.aws.aws_batch_job_definition:
    job_definition_name: My Batch Job Definition
    state: present
    type: container
    parameters:
      Param1: Val1
      Param2: Val2
    privileged: true
    image: <Docker Image URL>
    vcpus: 1
    memory: 512
    command:
      - python
      - run_my_script.py
      - arg1
    job_role_arn: <Job Role ARN>
    attempts: 3
  register: job_definition_create_result

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: My Batch Job Definition
  community.aws.aws_batch_job_definition:
    job_definition_name: My Batch Job Definition without privilege
    state: present
    type: container
    parameters:
      Param1: Val1
      Param2: Val2
    privileged: false
    image: <Docker Image URL>
    vcpus: 1
    memory: 512
    command:
      - python
      - run_my_script.py
      - arg1
    job_role_arn: <Job Role ARN>
    attempts: 3
  register: job_definition_create_result
- name: My Batch Job Definition without explicit privilege
  community.aws.aws_batch_job_definition:
    job_definition_name: My Batch Job Definition
    state: present
    type: container
    parameters:
      Param1: Val1
      Param2: Val2
    image: <Docker Image URL>
    vcpus: 1
    memory: 512
    command:
      - python
      - run_my_script.py
      - arg1
    job_role_arn: <Job Role ARN>
    attempts: 3
  register: job_definition_create_result