Control: ECS task definitions should not share the host's process namespace
Description
This control checks if Amazon ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.ecs_task_definition_no_host_pid_modeSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.ecs_task_definition_no_host_pid_mode --shareSQL
This control uses a named query:
with task_with_host as ( select distinct (address ) as name from terraform_resource, jsonb_array_elements( case when ((attributes_std ->> 'container_definitions') = '') then null else (attributes_std ->> 'container_definitions')::jsonb end ) as s where s ->> 'pidMode' = 'host' and type = 'aws_ecs_task_definition' ) select r.address as resource, case when h.name is null then 'ok' else 'alarm' end status, split_part(r.address, '.', 2) || case when h.name is null then ' shares the host process namespace' else ' does not share the host process namespace' end || '.' reason , path || ':' || start_line from terraform_resource as r left join task_with_host as h on h.name = r.address where type = 'aws_ecs_task_definition';