Profile Applicability:
- Level 1
Description:
This rule ensures that Amazon Elastic Container Service (Amazon ECS) task definitions using host network mode do not allow privileged or root user access. Privileged access increases the risk of container breakout, where a compromised container can gain control of the host system. By preventing privileged or root access, the security of the underlying host container instance is protected.
Rationale:
When using host network mode in ECS, combining it with privileged or root user access significantly increases the risk of container breakout attacks. In such scenarios, a compromised container could gain access to the underlying host system, potentially affecting the entire infrastructure. Disabling privileged or root user access helps reduce this risk and improves the overall security posture.
Impact:
Pros:
Improved security by reducing the risk of container breakout and unauthorized host access.
Adherence to the principle of least privilege, ensuring that containers have only the necessary permissions.
Cons:
Some administrative effort may be required to ensure that ECS tasks function as expected without privileged or root user access.
Potential operational complexity in adjusting tasks that may rely on privileged access for certain functionality.
Default Value:
By default, when creating an ECS task definition with host network mode, the privileged and user parameters are unset. However, they may be explicitly set in task definitions, which can create a security risk.
Pre-requisites:
AWS IAM permissions to manage ECS task definitions:
ecs:DescribeTaskDefinition, ecs:UpdateTaskDefinition
Remediation:
Test Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Task Definitions.
Click on the task definition you wish to review.
Click on the latest active revision of the task definition.
If the Network mode is set to host, click JSON to view the raw configuration.
For each element under containerDefinitions, ensure that:
privileged is set to false or is absent.
user is not set to root or is absent.
Repeat the process for other task definitions and AWS regions.
Using AWS CLI:
Run the following command to list task definitions:
aws ecs list-task-definitions
For each task definition, run the following command to describe it:
aws ecs describe-task-definition --task-definition <task-definition-arn>
Ensure that for each containerDefinition, the privileged field is set to false or absent, and the user is not set to root or is absent.
Repeat this process for each task definition in all AWS regions.
Implementation Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Task Definitions.
Click on the task definition that needs to be modified.
Click on the latest active revision of the task definition.
Click Create new revision.
In the JSON editor, modify the containerDefinitions to set:
privileged: false (or remove "privileged": true).
user: <appropriate-non-root-user> (or remove "user": "root").
Click Create to save the new task definition.
Repeat this for other task definitions needing remediation.
Using AWS CLI:
Run the following command to update the ECS task definition with the required settings:
aws ecs create-or-update-tags \ --tags ResourceId=<AutoScalingGroupName>,ResourceType=auto-scalinggroup,Key=TagKey,Value=TagValue,PropagateAtLaunch=true
Modify the task definition using the following command:
aws ecs register-task-definition \ --family <family-name> \ --container-definitions '[{"name": "container-name", "image": "image-name", "privileged": false, "user": "non-root-user"}]'
Backout Plan:
Using AWS Console:
If an issue arises after enforcing this change, you can revert by editing the task definition and restoring the privileged and user settings to the original configuration.
Test to ensure the containers are still functioning properly after reverting.
Using AWS CLI:
If issues arise, use the update or register-task-definition commands to restore the original task definition configuration.
References:
CIS Controls:
