Control: ECS containers should run in non-privileged mode

Description

This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.ecs_task_definition_container_non_privileged

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.ecs_task_definition_container_non_privileged --share

SQL

This control uses a named query:

with task_with_root_privilege as (
  select
    distinct (address ) as name
  from
    terraform_resource,
    jsonb_array_elements(
      case when ((attributes_std ->> 'container_definitions') = '')
        then null
        else (attributes_std ->> 'container_definitions')::jsonb end
    ) as s where (s ->> 'privilege')::boolean and type = 'aws_ecs_task_definition'
  )
  select
    r.address as resource,
    case
      when p.name is null then 'ok'
      else 'alarm'
    end status,
    split_part(r.address, '.', 2) || case
      when p.name is null then ' does not have elevated privileges'
      else ' has elevated privileges'
    end || '.' reason
    
    , path || ':' || start_line
  from
    terraform_resource as r
    left join task_with_root_privilege as p on p.name = r.address
  where
    type = 'aws_ecs_task_definition';

Control: ECS containers should run in non-privileged mode

Description

Usage

SQL

Tags