AWS ECS task definitions should have secure networking modes and user definitions
Description
This configuration check verifies that unauthorized permissions do not exist in Amazon Elastic Container Service (Amazon ECS) task definitions that have NetworkMode
set to host
. If the NetworkMode
is host
, the rule will be marked as NON_COMPLIANT
if the container definitions have privileged set to false
or empty
, and user set to root
or empty
.
It is recommended to avoid granting elevated privileges in Amazon ECS task definitions. When privileged is set to true
, the container is granted elevated permissions on the host container instance, similar to the root user.
Similarly, it is recommended to avoid running tasks in host network mode when running containers with the root user (UID 0). As a security best practice, you should always use a non-root user.
From the console
- Sign in to the AWS Management Console.
- Navigate to the Amazon ECS service.
- Select the cluster where the task definition with non-compliant configurations is located.
- In the navigation pane, choose Task Definitions.
- Select the task definition that has NetworkMode set to
host
and contains privileged set to false
or empty
, and user set to root
or empty
. - Click Edit to modify the task definition.
- If required, update the privileged setting to
true
based on your application requirements. - Ensure that the user is set to a
non-root
user with a non-zero UID. - Save the changes to the task definition.