Profile Applicability:
- Level 1
Description:
This rule ensures that Amazon ECS task definitions do not grant privileged access to the host container instance. Privileged access can significantly increase security risks by allowing containers to perform actions that may compromise the security of the host system. Therefore, this rule ensures containers run with minimal privileges.
Rationale:
Allowing privileged access in ECS task definitions compromises the isolation between containers and the host instance. Privileged access enables the container to perform actions that could lead to privilege escalation, where a compromised container could potentially gain control of the host system. By ensuring that privileged access is not granted, ECS maintains stronger security by reducing the attack surface.
Impact:
Pros:
Enhanced security by maintaining proper isolation between containers and the host.
Reduced risk of privilege escalation and potential security breaches.
Cons:
Operational complexity may arise, requiring updates to ECS task definitions and ensuring applications run correctly without privileged access.
Some administrative effort is needed to review and update ECS task definitions.
Default Value:
By default, the privileged parameter is set to false when creating a task definition. This is the secure setting, which prevents privileged access.
Pre-requisites:
AWS IAM permissions to manage ECS task definitions:
ecs:DescribeTaskDefinition, ecs:UpdateTaskDefinition
Remediation:
Test Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Task Definitions.
Click the name of the task definition to review.
Click on the latest active revision of the task definition.
Click JSON to view the raw configuration.
For each element under containerDefinitions, ensure that the privileged field is set to false or is absent.
If privileged is set to true, refer to the remediation below.
Repeat steps 1–7 for all task definitions across all AWS regions.
Using AWS CLI:
Run the following command to list all task definitions:
aws ecs list-task-definitions
For each task definition, run the following command to describe it:
aws ecs describe-task-definition --task-definition <task-definition-arn> --query 'taskDefinition.containerDefinitions[*].privileged'
Ensure that the command does not return true for the privileged field. If true is returned, refer to the remediation below.
4. Repeat steps 1–3 for each task definition and AWS region.
Implementation Plan:
Using AWS Console:
Log in to the ECS Console at AWS ECS Console.
In the left panel, click Task Definitions.
Click on the task definition that needs to be modified.
Click on the latest active revision of the task definition.
Click Create new revision.
In the JSON editor, ensure that the privileged field is set to false (or remove the "privileged": true entry):
"privileged": falseClick Create to save the new task definition.
Repeat steps 1–7 for any other task definitions requiring remediation.
Using AWS CLI:
For each task definition that needs to be updated, run the following command to register a new task definition with the privileged field set to false:
aws ecs register-task-definition \ --family <task-family-name> \ --container-definitions '[{"name": "container-name", "image": "image-name", "privileged": false}]'
After updating the task definitions, redeploy the ECS tasks using the new task definition.
Backout Plan:
Using AWS Console:
If issues arise after updating the task definitions, revert to the previous revision of the task definition where privileged was set to true.
Redeploy ECS tasks with the previous task definition.
Using AWS CLI:
To restore the original configuration, run the following command to register a new task definition with privileged: true:
aws ecs register-task-definition \ --family <task-family-name> \ --container-definitions '[{"name": "container-name", "image": "image-name", "privileged": true}]'
Redeploy ECS tasks using the older task definition if necessary.
References:
CIS Controls:
