More Info:

This rule verifies that ECS Task Definitions do not specify a user when using the ‘host’ network mode. In ‘host’ network mode, containers share the network namespace with the host, potentially exposing sensitive network configurations or services. Not specifying a user for containers in ‘host’ mode enhances security by preventing potential privilege escalation or unauthorized access to host resources.

Risk Level

High

Address

Security

Compliance Standards

CBP

Remediation

Using Console

  1. Navigate to the Amazon ECS console.
  2. Select “Task Definitions” from the navigation pane.
  3. Identify the task definition using the host network mode.
  4. Click on the task definition to edit it.
  5. Review the container definitions.
  6. Modify the container definitions to specify a non-root user if not already specified.
  7. Save the changes to the task definition.

Using CLI

aws ecs register-task-definition --cli-input-json file://task-definition.json

Ensure that task-definition.json contains the updated task definition with the appropriate user specified for containers using the host network mode.

Using Python

import boto3

def remediate_ecs_task_definition(task_definition_arn):
    # Initialize ECS client
    ecs_client = boto3.client('ecs')

    # Describe task definition
    response = ecs_client.describe_task_definition(taskDefinition=task_definition_arn)
    task_definition = response['taskDefinition']

    # Modify the task definition to ensure user is not "root" or not specified
    for container_definition in task_definition['containerDefinitions']:
        if container_definition['networkMode'] == 'host':
            if container_definition.get('user', '') == 'root' or not container_definition.get('user', ''):
                container_definition['user'] = 'non-root-user'  # Specify a non-root user

    # Register the updated task definition
    response = ecs_client.register_task_definition(**task_definition)
    print(f"Task definition '{task_definition_arn}' remediated.")

def main():
    # Specify the ARN of the ECS task definition to remediate
    task_definition_arn = 'your-task-definition-arn'

    # Remediate the ECS task definition
    remediate_ecs_task_definition(task_definition_arn)

if __name__ == "__main__":
    main()

Replace 'your-task-definition-arn' with the ARN of the ECS task definition you want to remediate. This script retrieves the task definition, modifies it to ensure the user is not “root” or not specified for containers using the host network mode, and registers the updated task definition. Adjust the script to specify a non-root user as needed.