ECS Tasks With Network Mode Host Should Have Limited Permissions
More Info:
This rule verifies that ECS Task Definitions do not specify a user when using the ‘host’ network mode. In ‘host’ network mode, containers share the network namespace with the host, potentially exposing sensitive network configurations or services. Not specifying a user for containers in ‘host’ mode enhances security by preventing potential privilege escalation or unauthorized access to host resources.Risk Level
HighAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of ECS tasks with network mode host having limited permissions in AWS, follow these steps using the AWS Management Console:
- Access the AWS Management Console: Go to the AWS Management Console at https://aws.amazon.com/ and log in with your credentials.
- Navigate to ECS: Click on the “Services” dropdown menu at the top of the console, then select “ECS” under the “Compute” section.
- Select the Cluster: From the ECS dashboard, select the cluster where the ECS tasks with network mode host are running.
- Select the Task Definition: In the cluster, click on the task definition that includes the ECS tasks with network mode host that need to have limited permissions.
- Edit Task Definition: In the task definition details page, click on the “Create new revision” button to create a new revision of the task definition.
- Update Task Definition: In the task definition editor, scroll down to the “Task execution IAM role” section. Here, you can update the task execution role to have limited permissions by attaching a custom IAM policy with restricted permissions.
- Create a Custom IAM Policy: If you don’t have a custom IAM policy with limited permissions already created, you can create one by navigating to the IAM service in the AWS Management Console. Click on “Policies” in the left-hand menu, then click on “Create policy” and follow the steps to define the policy with the necessary limited permissions.
- Attach Custom IAM Policy: Once you have created the custom IAM policy with limited permissions, go back to the task definition editor in the ECS console. In the “Task execution IAM role” section, click on “Attach policies” and search for the custom IAM policy you created. Select the policy and attach it to the task execution role.
- Review and Save: Review the changes you have made to the task definition, ensuring that the task execution role now has limited permissions. Once you are satisfied with the changes, click on the “Create” button to save the new revision of the task definition.
- Update ECS Service: After saving the new revision of the task definition, go back to the ECS cluster dashboard and select the service that is running the ECS tasks with network mode host. Update the service to use the new revision of the task definition with the limited permissions for the task execution role.
Using CLI
Using CLI
To remediate the misconfiguration of ECS tasks with network mode host having limited permissions in AWS Kubernetes using AWS CLI, follow these steps:
-
Identify the ECS tasks with network mode host: Run the following AWS CLI command to list all ECS tasks with network mode host:
-
Update the task definition: For each ECS task identified in the previous step, you need to update the task definition to limit the permissions. Run the following AWS CLI command to describe the task definition:
-
Modify the task definition: Edit the task definition JSON to remove any unnecessary or overly permissive permissions. Ensure that the task has the least privilege necessary to function properly. Here’s an example of modifying the task definition JSON:
-
Update the task definition: Run the following AWS CLI command to update the task definition with the modified JSON:
-
Verify the changes: Run the following AWS CLI command to verify that the task definition has been updated successfully:
Using Python
Using Python
To remediate the misconfiguration of ECS tasks with network mode host having limited permissions in AWS Kubernetes using Python, you can follow these steps:Replace
'your-task-definition-arn' with the ARN of the ECS task definition you want to remediate. This script retrieves the task definition, modifies it to ensure the user is not “root” or not specified for containers using the host network mode, and registers the updated task definition. Adjust the script to specify a non-root user as needed.