Control: ECS task definition container definitions should be checked for host mode
Description
Check if AWS Elastic Container Service (AWS ECS) task definition with host networking mode has 'privileged' or 'user' container definitions.The rule is non-compliant for task definitions with host network mode and container definitions of privileged=false or empty and user=root or empty.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ecs_task_definition_user_for_host_mode_checkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ecs_task_definition_user_for_host_mode_check --shareSQL
This control uses a named query:
with host_network_task_definition as ( select distinct task_definition_arn as arn from aws_ecs_task_definition, jsonb_array_elements(container_definitions) as c where network_mode = 'host' and (c ->> 'Privileged' is not null and c ->> 'Privileged' <> 'false' ) and ( c ->> 'User' is not null and c ->> 'User' <> 'root' ))select a.task_definition_arn as resource, case when a.network_mode is null or a.network_mode <> 'host' then 'skip' when b.arn is not null then 'ok' else 'alarm' end as status, case when a.network_mode is null or a.network_mode <> 'host' then a.title || ' not host network mode.' when b.arn is not null then a.title || ' have secure host network mode.' else a.title || ' not have secure host network mode.' end as reason , region, account_idfrom aws_ecs_task_definition as a left join host_network_task_definition as b on a.task_definition_arn = b.arn;