Control: ECS containers should run as non-privileged
Description
This control checks if the privileged parameter in the container definition of AWS ECS Task Definitions is set to true. The control fails if this parameter is equal to true.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ecs_task_definition_container_non_privilegedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ecs_task_definition_container_non_privileged --shareSQL
This control uses a named query:
with privileged_container_definition as ( select distinct task_definition_arn as arn from aws_ecs_task_definition, jsonb_array_elements(container_definitions) as c where c ->> 'Privileged' = 'true')select d.task_definition_arn as resource, case when c.arn is null then 'ok' else 'alarm' end as status, case when c.arn is null then d.title || ' does not have elevated privileges.' else d.title || ' has elevated privileges.' end as reason , region, account_idfrom aws_ecs_task_definition as d left join privileged_container_definition as c on d.task_definition_arn = c.arn;