Control: ECS containers should run in non-privileged mode
Description
This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.ecs_task_definition_container_non_privilegedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.ecs_task_definition_container_non_privileged --shareSQL
This control uses a named query:
with task_with_root_privilege as ( select distinct (address ) as name from terraform_resource, jsonb_array_elements( case when ((attributes_std ->> 'container_definitions') = '') then null else (attributes_std ->> 'container_definitions')::jsonb end ) as s where (s ->> 'privilege')::boolean and type = 'aws_ecs_task_definition' ) select r.address as resource, case when p.name is null then 'ok' else 'alarm' end status, split_part(r.address, '.', 2) || case when p.name is null then ' does not have elevated privileges' else ' has elevated privileges' end || '.' reason , path || ':' || start_line from terraform_resource as r left join task_with_root_privilege as p on p.name = r.address where type = 'aws_ecs_task_definition';