Description:

AWS Security Hub provides you with a comprehensive view of the security state of your AWS resources. Security Hub collects security data from across AWS accounts and services and helps you analyze your security trends to identify and prioritize the security issues across your AWS environment.

Elastic Container Service (ECS) is a fully managed container orchestration service. It makes it easy to run, stop manage containers on a cluster. It enables you to inject sensitive data into your containers by storing your sensitive data in AWS Secrets Manager secrets and then referencing them in your container definition.

As a security best practice, pass sensitive information to containers as environment variables. You can securely inject data into containers by referencing values stored in AWS Systems Manager Parameter Store or AWS Secrets Manager in the container definition of an Amazon ECS task definition. Then, you can expose your sensitive information as environment variables or in the log configuration of a container.


Rationale:

Make sure data sent has no personal information or sensitive information sent to or from the ECS task definitions variables. For this function to work we need to make sure Security Hub & AWS Secrets Manager so that all the data can be properly traced.


Impact:

Passing sensitive data in plaintext can cause security issues. Find data using a standard finding format, which eliminates the need to manage findings data from multiple formats.


Default Value:

ECS tasks hosted on Amazon EC2 instances, the valid values are none, bridge, AWS vpc and host.

If no network mode is specified the default network mode is the bridge.


Audit:

Finding any secrets in your ECS task you need to Security hub following steps to check it is enable or not:

Step 1: Sign in to the Security Hub console using the credentials of the IAM identity https://aws.amazon.com/securityhub

Step 2: Click on go to security hub button

Step 3: If it is asked to enable it means AWS Security Hub is not enabled 


Via CLI Command:

Use the following command the display information about the controls for an enabled standard

aws securiythub describe-standards-controls \
--standards-subscription-arn < subscription ARN>


Remediation:

Pre-Requisite:

  • Before the Implementation step, you already enable ECS.

  • You attach the required policy to the IAM identity, you use that identity to enable Security Hub

Implementation Steps:

Step 1: Sign in to the Security Hub console using the credentials of the IAM identity https://aws.amazon.com/securityhub

Step 2: Click on go to security hub button

Step 3: In Security Standard select security benchmarks as per your requirement and click on Enable Security Hub button

Now your Security Hub enabled



Via CLI Command:

Following command, you use to enable Security Hub in CLI

aws securiythub enable-securiyt-hub --enable-default-standards --tags <tag values>


e.g tag value – '{” Department”:” Security”}'


Backout Plan:

Via AWS Console

Following Steps to disable Security Hub console:

Step 1:  Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

Step 2: Confirm that you are using Security Hub in the Region in which you want to disable the control.

Step 3: Go to Settings in the left navigation pane

Step 4: In Settings Dashboard go to the General tab 

Step 5: At bottom of this go to Disable AWS Security Hub and click on Disable AWS Security button


Via CLI Command:

Following command to use disable the Security Hub

aws securityhub update-standards-control --standards-control-arn <control ARN> \
--controlstatus"DISABLED" --disabled-reason <description of reason to disable>


e.g. <control arn> – arn:aws:securityhub:useast-
1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/ACM.1"

<description of reason to disable> – “Not applicable for my service"


Following command to use disable the Security standard

aws securityhub batch-disable-standards --standards-subscription-arns <subscription ARN>

e.g. Subscription arn – "arn:aws:securityhub:us-west-1:123456789012:subscription/aws-foundational-security-bestpractices/
v/1.0.0"


Note: We strongly recommend that you never put sensitive information, such as your customer’s account numbers, into free-from fields such as the Name field. Any data you enter in Security Hub or other services might get picked up for inclusion in diagnostic logs. When you provide a URL to an external server, don't include credential information in the URL to validate your request to that server.


References:

  1. https://aws.amazon.com/premiumsupport/knowledge-center/ecs-data-security-container-task/

  2. securityhub — AWS CLI 1.19.112 Command Reference 

  3. Disabling and enabling individual controls - AWS Security Hub

  4. What is Amazon Elastic Container Service? - Amazon Elastic Container Service