🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: ECS task definitions should not use root user.

Description

This control checks if ECS task definitions have root user. This control fails if the ECS task definitions have root user.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.ecs_task_definition_no_root_user

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.ecs_task_definition_no_root_user --share

SQL

This control uses a named query:

with root_user_task_definition as (
  select
    distinct task_definition_arn as arn
  from
    aws_ecs_task_definition,
    jsonb_array_elements(container_definitions) as c
  where
    c ->> 'User' = 'root'
)
select
  a.task_definition_arn as resource,
  case
    when b.arn is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when b.arn is not null then a.title || ' have root user.'
    else a.title || ' does not have root user.'
  end as reason
  
  , region, account_id
from
  aws_ecs_task_definition as a
  left join root_user_task_definition as b on a.task_definition_arn = b.arn;

Tags

acsc_essential_eight = true
category = Compliance
plugin = aws
service = AWS/ECS