🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 1 Amazon ECS task definitions should have secure networking modes and user definitions

Description

This control checks whether an Amazon ECS task definition that has host networking mode also has 'privileged' or 'user' container definitions. The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.

If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration. This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.

Remediation

For information on how to update a task definition, see Updating a task definition.

Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ecs_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ecs_1 --share

SQL

This control uses a named query:

with host_network_task_definition as (
  select
    distinct task_definition_arn as arn
  from
    aws_ecs_task_definition,
    jsonb_array_elements(container_definitions) as c
  where
    network_mode = 'host'
    and
      (c ->> 'Privileged' is not null
        and c ->> 'Privileged' <> 'false'
      )
    and
      ( c ->> 'User' is not null
      and c ->> 'User' <> 'root'
      )
)
select
  a.task_definition_arn as resource,
  case
    when a.network_mode is null or a.network_mode <> 'host' then 'skip'
    when b.arn is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when a.network_mode is null or a.network_mode <> 'host' then a.title || ' not host network mode.'
    when b.arn is not null then a.title || ' have secure host network mode.'
    else a.title || ' not have secure host network mode.'
  end as reason
  
  , region, account_id
from
  aws_ecs_task_definition as a
  left join host_network_task_definition as b on a.task_definition_arn = b.arn;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = ecs_1
plugin = aws
service = AWS/ECS