v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 1 Amazon ECS task definitions should have secure networking modes and user definitions

Description

This control checks whether an Amazon ECS task definition that has host networking mode also has 'privileged' or 'user' container definitions. The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.

If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration. This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.

Remediation

For information on how to update a task definition, see Updating a task definition.

Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ecs_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ecs_1 --share

SQL

This control uses a named query:

ecs_task_definition_user_for_host_mode_check

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = ecs_1
plugin = aws
service = AWS/ECS