Profile Applicability:

  • Level 1

Description:

In Amazon ECS, task definitions specify how containers should be run within ECS clusters. By default, ECS containers are run with restricted privileges. However, ECS allows you to configure containers to run in privileged mode, giving them additional access to the underlying host and resources, such as the ability to manipulate the network stack or mount sensitive host files. This SOP ensures that ECS task definitions do not have privileged containers, enforcing security best practices and reducing the attack surface of containerized applications.

Rationale:

Running containers in privileged mode provides the container with excessive permissions, including access to host devices and the ability to change critical system configurations. While privileged containers are required in some edge cases, allowing them increases the risk of security vulnerabilities, such as privilege escalation attacks or accidental system modifications. Enforcing non-privileged containers aligns with the least privilege security principle and improves the overall security posture of your ECS environment.

Impact:

Pros:

  • Improved Security: Restricting containers to non-privileged mode reduces the risk of unauthorized access to host resources and potential attacks.

  • Reduced Attack Surface: Minimizes the ability for containers to perform sensitive actions that could impact other services or the host machine.

  • Compliance: Helps meet security standards and compliance frameworks, such as CIS, by ensuring that containers are not granted unnecessary permissions.

Cons:

  • Application Constraints: Some applications may require privileged access for certain functionalities, and they may not work properly in a non-privileged mode.

  • Configuration Overhead: Requires careful design of containerized applications to ensure they can operate securely without needing privileged mode.

Default Value:

By default, ECS containers are non-privileged and do not have elevated permissions unless explicitly configured in the task definition.

Pre-requisite:

  • AWS IAM Permissions:

    • ecs:DescribeTaskDefinitions

    • ecs:UpdateTaskDefinition

    • ecs:CreateTaskDefinition

    • ecs:DescribeTasks

  • AWS CLI installed and configured.

  • Basic understanding of ECS task definitions, privileged containers, and Docker security.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ECS under Services.

       

  1. Go to Task Definitions and review each task definition to ensure that the privileged flag is not set for any container.

       

  1. In the Container Definitions section, check the privileged setting for each container in the task definition. It should be set to false (or not set at all).

     

  1. If any container is defined with privileged: true, modify the task definition to set it to false.

Using AWS CLI:

To describe the ECS task definition and check for privileged containers, run:

aws ecs describe-task-definition --task-definition <task-definition-name> --query 'taskDefinition.containerDefinitions[*].privileged'

Review the output to ensure that the privileged field is not set to true for any container in the task definition.

 Example output:

[

  {

    "privileged": false

  }

]

If the privileged field is set to true, update the task definition to disable privileged mode for the container.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to ECS.

   

  1. In the ECS Dashboard, go to Task Definitions.

                       

  1. Select the task definition to be updated or create a new revision.

     

  1. In the Container Definitions section, find the container and ensure that privileged is set to false.

     

  1. Save the changes to the task definition and register the new revision.

  2. Deploy the updated task definition to the ECS service or cluster.

Using AWS CLI:

To register a new ECS task definition without privileged containers, run:

aws ecs register-task-definition \

  --family <task-family> \

  --container-definitions '[{

      "name": "my-container",

      "image": "my-image",

      "memory": 512,

      "cpu": 256,

      "privileged": false,

      "essential": true

  }]'

To update an existing ECS task definition to disable privileged mode, run:

aws ecs update-task-definition \

  --task-definition <task-definition-name> \

  --privileged false

Backout Plan:

If disabling privileged mode causes issues:

Identify the affected task definition and container.

Revert the privileged setting to true by updating the task definition.

Use the following CLI command to deregister the task definition:

aws ecs deregister-task-definition --task-definition <task-definition-name>

Re-deploy using the previous working task definition with privileged set to true.

Note:

  • If an application genuinely requires privileged access (e.g., for Docker-in-Docker use cases or low-level system modifications), consider running the container in a separate security boundary or adjusting the security controls to ensure the container has the minimum necessary privileges.

  • Consider using AWS Fargate with awsvpc network mode for greater isolation and security for non-privileged containers.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.