Profile Applicability:
- Level 1
Description:
Ensure that only trusted images are used with Amazon Elastic Container Service (ECS). This check will automate the process of validating container images to ensure that only verified and secure images are deployed. Using untrusted or outdated images can introduce security vulnerabilities, making your ECS environment susceptible to exploitation.
Rationale:
Using untrusted or outdated container images can expose ECS workloads to security vulnerabilities. Automating the process ensures that only verified images from trusted sources (e.g., private registries, AWS Elastic Container Registry (ECR), or Docker Hub) are used, reducing the risk of introducing insecure or malicious containers.
Impact:
Pros:
Ensures that only trusted, secure images are used in ECS tasks.
Reduces the risk of vulnerabilities from untrusted container images.
Automates the enforcement of trusted image policies, ensuring consistent security across ECS environments.
Cons:
Requires configuration of trusted image policies and automated enforcement.
Potential disruption if non-compliant images are used and need to be removed or replaced.
Default Value:
By default, ECS may allow images from any source, including unverified registries, unless explicitly configured to enforce trusted images.
Pre-requisites:
AWS IAM permissions for managing ECS configurations, task definitions, and ECS services:
ecs:RegisterTaskDefinition
ecs:UpdateService
ecr:BatchCheckLayerAvailability
ecr:GetAuthorizationToken
Remediation:
Test plan:
Using AWS Console:
Log in to the AWS Management Console and navigate to the ECS service.
In the left pane, click on Task Definitions and review the container images used for tasks.
Ensure that the images used are sourced from trusted repositories (e.g., AWS ECR, Docker Hub, or private registries).
If any task definition uses an untrusted image, update the task definition to use a trusted image from an authorized registry.
Using AWS CLI:
List all ECS task definitions with the following command:
aws ecs list-task-definitions --status ACTIVE
For each task definition, check the associated image:
aws ecs describe-task-definition --task-definition <task-definition-name>
Review the image URL and ensure it points to a trusted repository. If not, update the task definition.
Implementation Plan:
Using AWS Console:
Log in to the AWS Management Console and navigate to ECS.
In the Task Definitions section, find any task definition that is using an untrusted image.
Click Actions → Update Task Definition.
Replace the image URL with a trusted image URL (e.g., from AWS ECR or a private registry).
Save and deploy the updated task definition.
Using AWS CLI:
Run the following command to register a new task definition with a trusted image:
aws ecs register-task-definition --family <task-family> --container-definitions file://container-definitions.json
Ensure that the container definition points to a trusted image from a verified registry.
Update any ECS services to use the updated task definition.
Backout Plan
Using AWS Console:
If issues arise after implementing the change, revert the task definition to the previous configuration.
In the Task Definitions section, select the previous task definition and click Actions → Revert to Previous Revision.
Using AWS CLI:
If the updated image causes issues, deregister the current task definition and re-register the previous version:
aws ecs deregister-task-definition --task-definition <task-definition-name>
Revert the task definition to the previous working version.
References:
CIS Controls:
