Profile Applicability:
- Level 1
Description:
This rule ensures that Amazon ECS task definitions are configured in such a way that they do not share the host's process namespace with containers by setting the pidMode parameter to host. This ensures process isolation and prevents containers from viewing or interacting with system processes on the host machine, reducing security risks.
Rationale:
Using the host value for the pidMode parameter allows containers to access the host’s process namespace, potentially leading to unauthorized access to host processes. This reduces container isolation, which is a security concern, especially if containers are compromised. By ensuring pidMode is not set to host, you maintain proper isolation and security for ECS containers.
Impact:
Pros:
Enhanced container isolation by ensuring containers cannot view or manipulate host processes.
Reduced risk of unauthorized access to host system processes, which improves overall security.
Fewer attack surfaces for potential security breaches from malicious or compromised containers.
Cons:
Potential operational changes to existing ECS configurations to ensure proper task definitions.
Some administrative effort might be required to ensure that ECS applications work as expected with process isolation enabled.
Default Value:
By default, when the pidMode parameter is not specified, ECS uses a private namespace for each container, ensuring process isolation.
Pre-requisites:
AWS IAM permissions to manage ECS task definitions:
ecs:DescribeTaskDefinition, ecs:UpdateTaskDefinition
Remediation:
Test Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Task Definitions.
Click the name of the task definition to review.
Click on the latest active revision of the task definition.
Click JSON to view the raw configuration.
Search for the pidMode parameter. Ensure that pidMode is not set to host.
If pidMode is set to host, refer to the remediation below.
Repeat steps 1–7 for other task definitions across all AWS regions.
Using AWS CLI:
Run the following command to list all task definitions:
aws ecs list-task-definitions
For the latest revision of a task definition, run:
aws ecs describe-task-definition --task-definition <task-definition-arn> --query 'taskDefinition.pidMode'
Ensure that the command does not return host as the value for pidMode. If host is returned, refer to the remediation below.
Repeat steps 1–3 for other task definitions and AWS regions.
Implementation Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Task Definitions.
Click on the task definition that needs to be modified.
Click on the latest active revision of the task definition.
Click Create new revision.
In the JSON editor, ensure that the pidMode is set to task (or remove the pidMode parameter if it exists):
"pidMode": "task"Click Create to save the new task definition.
Repeat steps 1–7 for other task definitions requiring remediation.
Using AWS CLI:
For each task definition that needs to be updated, run the following command to register a new task definition with the pidMode set to task:
aws ecs register-task-definition \ --family <task-family-name> \ --container-definitions '[{"name": "container-name", "image": "image-name", "pidMode": "task"}]'
After updating the task definitions, redeploy the affected ECS tasks using the new task definition.
Backout Plan:
Using AWS Console:
If issues arise after updating the task definitions, revert to the previous revision of the task definition that had the pidMode set to host.
Redeploy the ECS tasks with the previous task definition.
Using AWS CLI:
If issues arise, restore the original pidMode setting by registering a new task definition and specifying pidMode: host.
Redeploy ECS tasks using the older task definition if necessary.
References:
CIS Controls:
