Profile Applicability:
- Level 1
Description:
Amazon ECS (Elastic Container Service) allows the deployment and management of Docker containers. By default, ECS tasks run in their own isolated environments. However, task definitions can be configured to share the host’s process namespace, which means containers within the task definition can see and interact with each other’s processes. This can compromise security and isolate the task from other containers, potentially leading to privilege escalation or unwanted interactions.
This SOP ensures that ECS task definitions do not share the host's process namespace, thereby improving security by preventing container processes from interacting with each other in a way that could lead to vulnerabilities.
Rationale:
Security: Sharing the host's process namespace can lead to security issues where a process in one container can affect or interfere with another container's processes. This increases the risk of privilege escalation and compromises container isolation.
Container Isolation: By not sharing the process namespace, you ensure that each container in ECS tasks is isolated, following best practices for container security.
Compliance: Security best practices for containerized workloads, especially in regulated environments, mandate process isolation. Not sharing the host's process namespace helps meet these requirements.
Impact:
Pros:
Increased Security: Prevents containers from interacting with each other’s processes, thus protecting from unauthorized process access or manipulation.
Better Container Isolation: Ensures that containers do not share information they should not have access to, keeping them secure from attacks originating in other containers.
Reduced Attack Surface: By enforcing process isolation, you reduce the potential attack surface for an attacker compromising a container.
Cons:
Limited Inter-Container Communication: If containers need to communicate via processes or shared resources, they would require an alternative method such as using networking or shared volumes.
Configuration Complexity: While not sharing the host's process namespace improves security, it may require additional configuration for inter-container communication.
Default Value:
By default, ECS tasks are isolated and do not share the host’s process namespace. However, if explicitly configured, tasks can be set to share the process namespace.
Pre-requisite:
AWS IAM Permissions:
ecs:DescribeTaskDefinition
ecs:RegisterTaskDefinition
ecs:UpdateService
AWS CLI installed and configured.
ECS Cluster with running tasks or tasks that need to be configured.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon ECS under Services.
In the ECS Console, go to Task Definitions.
Select the task definition you want to check.
In the Task Definition details page, check the LinuxParameters section.
Ensure the sharedMemorySize and pidMode are set to None (i.e., not sharing the host's process namespace).
Using AWS CLI:
To check if sharing the host’s process namespace is enabled for a specific ECS task definition, run:
aws ecs describe-task-definition --task-definition <task-definition-name> --query "taskDefinition.containerDefinitions[*].linuxParameters.pidMode"
If pidMode is set to host, the ECS task definition is configured to share the host’s process namespace, which is not recommended. If pidMode is set to none, the ECS task is correctly isolated.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Amazon ECS.
Go to Task Definitions and select the task definition you want to modify.
Under Task Definition details, click Create new revision.
In the Container Definitions section, locate the LinuxParameters.
Ensure that the pidMode is set to none (not sharing the process namespace with the host).
Save the new revision of the task definition.
Using AWS CLI:
To register a new ECS task definition with process isolation, run:
aws ecs register-task-definition \
--family <task-definition-family> \
--container-definitions '[{"name": "<container-name>", "image": "<container-image>", "linuxParameters": {"pidMode": "none"}}]'To update an existing ECS service with the new task definition, run:
aws ecs update-service --cluster <cluster-name> --service <service-name> --task-definition <new-task-definition-name>
Verify that the new task definition is using process isolation by checking the pidMode again using the describe-task-definition command:
aws ecs describe-task-definition --task-definition <new-task-definition-name> --query "taskDefinition.containerDefinitions[*].linuxParameters.pidMode"
Backout Plan:
If isolating the process namespace causes issues (e.g., inter-container communication issues), revert the changes by enabling the sharing of the host's process namespace:
Identify the affected ECS task definition and review the process namespace configuration.
Revert the task definition to use the host's process namespace:
aws ecs register-task-definition \
--family <task-definition-family> \
--container-definitions '[{"name": "<container-name>", "image": "<container-image>", "linuxParameters": {"pidMode": "host"}}]'Monitor the domain to ensure it functions correctly and that inter-container communication is restored.
Note:
Inter-Container Communication: If your containers need to communicate with each other via the host's process namespace (e.g., for debugging or process introspection), using pidMode: host could be useful. However, this should only be used in trusted environments and with proper security controls.
Security Best Practice: For most production environments, process namespace isolation is recommended to enhance security by ensuring that one container’s process cannot affect or interfere with another container’s processes.