ECS task definitions should not share the host's process namespace

ecs
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This assessment verifies whether Amazon ECS task definitions are set up to share a host’s process namespace with its containers. The assessment will not pass if the task definition allows the host’s process namespace to be shared with the containers it runs. This evaluation is based on the most recent active revision of an Amazon ECS task definition.

A Process ID (PID) namespace serves to isolate processes from one another, preventing system processes from being visible and allowing PIDs, including PID 1, to be reused. If the host’s PID namespace is shared with containers, it would grant containers visibility into all processes on the host system. This compromises the intended isolation between the host and its containers at the process level. Such a setup could potentially result in unauthorized access to host processes, enabling unauthorized manipulation or termination. Therefore, it is recommended that customers refrain from sharing the host’s process namespace with containers.

Remediation

From the console

To configure the pidMode on a task definition, see Task definition parameters in the Amazon Elastic Container Service Developer Guide.

PREVIEWING: brett.blue/embedded-collector-release