Profile Applicability:

  • Level 1

Description:

Host devices should not be directly exposed to containers to prevent unauthorized access to critical system resources. By default, Docker containers do not have direct access to host devices, but when using --device or other Docker flags, this exposure can occur. It is important to ensure that no sensitive or critical host devices are exposed to containers unnecessarily.

Rationale:

Exposing host devices to containers increases the risk of unauthorized access, compromise, or malicious use of the host's hardware. Restricting access to host devices reduces the attack surface and ensures that containers can only access necessary resources.

Impact:

Pros:

  • Minimizes security risks by preventing containers from accessing host devices.

  • Reduces potential for privilege escalation or system resource manipulation from within containers.

Cons:

  • Certain applications or use cases may require direct access to host devices, such as devices for hardware acceleration, GPUs, or other system-level resources.

Default Value:

By default, Docker does not expose host devices to containers unless specified by the --device flag.

Pre-requisites:

  • Administrative privileges on the system.

  • Knowledge of the devices that need to be used by containers, if any, and those that should be restricted.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance where Docker is running.
  2. Verify Docker configurations and container run commands to ensure the --device flag is not being used to expose host devices.

Using AWS CLI:

  1. Connect to the EC2 instance and run the following command to list the containers and their configurations:
docker ps --format '{{.ID}}: {{.Names}}'

        2. Ensure no container is using the --device flag by checking the run commands:

docker inspect <container_id> | grep "Devices"

Implementation Plan:

Using AWS Console:

  1. Connect to the EC2 instance.
  2. If any container is using the --device flag, stop the container and remove the device mapping.
  3. Restart the container without exposing any unnecessary host devices:

Using AWS CLI:

  1. Use SSM to remotely stop any container with exposed devices and restart it without the --device flag.
  2. Run the following command:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker stop <container_id> && docker rm <container_id> && docker run --name <container_name> --restart always <image_name>"]'


Backout Plan:

Using AWS Console:

  1. If any containers require access to host devices, stop the container and add the device back using the --device flag.
  2. Restart Docker:

Using AWS CLI:

  1. Use SSM to stop the container and re-add the device mapping if necessary:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker stop <container_id> && docker rm <container_id> && docker run --name <container_name> --restart always --device=/dev/device_name <image_name>"]'

References: