AWS ECS task definitions should have secure networking modes and user definitions

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

This configuration check verifies that unauthorized permissions do not exist in Amazon Elastic Container Service (Amazon ECS) task definitions that have NetworkMode set to host. If the NetworkMode is host, the rule will be marked as NON_COMPLIANT if the container definitions have privileged set to false or empty, and user set to root or empty.

It is recommended to avoid granting elevated privileges in Amazon ECS task definitions. When privileged is set to true, the container is granted elevated permissions on the host container instance, similar to the root user.

Similarly, it is recommended to avoid running tasks in host network mode when running containers with the root user (UID 0). As a security best practice, you should always use a non-root user.

Remediation

From the console

  1. Sign in to the AWS Management Console.
  2. Navigate to the Amazon ECS service.
  3. Select the cluster where the task definition with non-compliant configurations is located.
  4. In the navigation pane, choose Task Definitions.
  5. Select the task definition that has NetworkMode set to host and contains privileged set to false or empty, and user set to root or empty.
  6. Click Edit to modify the task definition.
  7. If required, update the privileged setting to true based on your application requirements.
  8. Ensure that the user is set to a non-root user with a non-zero UID.
  9. Save the changes to the task definition.
PREVIEWING: rtrieu/product-analytics-ui-changes