ECS Tasks With Network Mode Host Should Have Limited Permissions
More Info:
This rule verifies that ECS Task Definitions do not specify a user when using the ‘host’ network mode. In ‘host’ network mode, containers share the network namespace with the host, potentially exposing sensitive network configurations or services. Not specifying a user for containers in ‘host’ mode enhances security by preventing potential privilege escalation or unauthorized access to host resources.
Risk Level
High
Address
Security
Compliance Standards
CBP
Remediation
Using Console
- Navigate to the Amazon ECS console.
- Select “Task Definitions” from the navigation pane.
- Identify the task definition using the host network mode.
- Click on the task definition to edit it.
- Review the container definitions.
- Modify the container definitions to specify a non-root user if not already specified.
- Save the changes to the task definition.
Using CLI
aws ecs register-task-definition --cli-input-json file://task-definition.json
Ensure that task-definition.json
contains the updated task definition with the appropriate user specified for containers using the host network mode.
Using Python
import boto3
def remediate_ecs_task_definition(task_definition_arn):
# Initialize ECS client
ecs_client = boto3.client('ecs')
# Describe task definition
response = ecs_client.describe_task_definition(taskDefinition=task_definition_arn)
task_definition = response['taskDefinition']
# Modify the task definition to ensure user is not "root" or not specified
for container_definition in task_definition['containerDefinitions']:
if container_definition['networkMode'] == 'host':
if container_definition.get('user', '') == 'root' or not container_definition.get('user', ''):
container_definition['user'] = 'non-root-user' # Specify a non-root user
# Register the updated task definition
response = ecs_client.register_task_definition(**task_definition)
print(f"Task definition '{task_definition_arn}' remediated.")
def main():
# Specify the ARN of the ECS task definition to remediate
task_definition_arn = 'your-task-definition-arn'
# Remediate the ECS task definition
remediate_ecs_task_definition(task_definition_arn)
if __name__ == "__main__":
main()
Replace 'your-task-definition-arn'
with the ARN of the ECS task definition you want to remediate. This script retrieves the task definition, modifies it to ensure the user is not “root” or not specified for containers using the host network mode, and registers the updated task definition. Adjust the script to specify a non-root user as needed.