mirror of
https://github.com/prowler-cloud/prowler.git
synced 2025-12-19 05:17:47 +00:00
chore(aws): enhance metadata for ecs service (#8888)
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
committed by
GitHub
GitHub
parent
d43455971b
commit
cf3800dbbe
@@ -55,6 +55,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- Update oraclecloud audit service metadata to new format [(#9221)](https://github.com/prowler-cloud/prowler/pull/9221)
|
||||
- Raise ASFF output error for non-AWS providers [(#9225)](https://github.com/prowler-cloud/prowler/pull/9225)
|
||||
- Update AWS ECR service metadata to new format [(#8872)](https://github.com/prowler-cloud/prowler/pull/8872)
|
||||
- Update AWS ECS service metadata to new format [(#8888)](https://github.com/prowler-cloud/prowler/pull/8888)
|
||||
|
||||
---
|
||||
|
||||
@@ -130,6 +131,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- Update AWS CloudFront service metadata to new format [(#8829)](https://github.com/prowler-cloud/prowler/pull/8829)
|
||||
- Deprecate user authentication for M365 provider [(#8865)](https://github.com/prowler-cloud/prowler/pull/8865)
|
||||
|
||||
|
||||
### Fixed
|
||||
- Fix SNS topics showing empty AWS_ResourceID in Quick Inventory output [(#8762)](https://github.com/prowler-cloud/prowler/issues/8762)
|
||||
- Fix HTML Markdown output for long strings [(#8803)](https://github.com/prowler-cloud/prowler/pull/8803)
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"vulnerabilities"
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -32,7 +32,8 @@
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"internet-exposed"
|
||||
"internet-exposed",
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"vulnerabilities"
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -35,7 +35,6 @@
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"vulnerabilities",
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
|
||||
@@ -32,8 +32,7 @@
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"container-security",
|
||||
"software-supply-chain"
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -1,28 +1,38 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_cluster_container_insights_enabled",
|
||||
"CheckTitle": "ECS clusters should use Container Insights",
|
||||
"CheckTitle": "ECS cluster has Container Insights enabled or enhanced",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
"Software and Configuration Checks/AWS Security Best Practices",
|
||||
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:cluster/{cluster-name}",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsEcsCluster",
|
||||
"Description": "This control checks if ECS clusters use Container Insights. This control fails if Container Insights are not set up for a cluster.",
|
||||
"Risk": "Without Container Insights, important performance metrics and diagnostic information from containerized applications may not be captured, which can hinder monitoring and troubleshooting.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html",
|
||||
"Description": "**ECS clusters** have CloudWatch **Container Insights** configured via the `containerInsights` setting, accepting `enabled` or `enhanced` values to emit cluster, service, task, and container telemetry.",
|
||||
"Risk": "Without **Container Insights**, ECS operations lack **telemetry** to spot failures and anomalies. Missed CPU/memory/network spikes and restart loops degrade **availability** and delay response. Absent baselines impede detecting abuse (e.g., **cryptomining** or data egress bursts), risking **confidentiality** and unexpected **costs**.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-12",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-container-insights.html",
|
||||
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-metrics-ECS.html",
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html",
|
||||
"https://aws.amazon.com/blogs/aws/container-insights-with-enhanced-observability-now-available-in-amazon-ecs/",
|
||||
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS-cluster.html",
|
||||
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs update-cluster-settings --cluster <cluster-name> --settings name=containerInsights,value=enabled",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-12",
|
||||
"Terraform": ""
|
||||
"NativeIaC": "```yaml\n# CloudFormation: Enable Container Insights on an ECS cluster\nResources:\n <example_resource_name>:\n Type: AWS::ECS::Cluster\n Properties:\n ClusterSettings:\n - Name: containerInsights # Critical: enables CloudWatch Container Insights for the cluster\n Value: enabled # Critical: setting that passes the check\n```",
|
||||
"Other": "1. Open the Amazon ECS console\n2. Go to Clusters and select the target cluster\n3. Click Update cluster\n4. Under CloudWatch Container Insights, enable Container Insights (or Enhanced)\n5. Click Save changes",
|
||||
"Terraform": "```hcl\n# Terraform: Enable Container Insights on an ECS cluster\nresource \"aws_ecs_cluster\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n setting {\n name = \"containerInsights\" # Critical: enables CloudWatch Container Insights for the cluster\n value = \"enabled\" # Critical: setting that passes the check\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Enable Container Insights for your ECS clusters to collect and monitor key performance metrics and diagnostic data from your containers.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS-cluster.html"
|
||||
"Text": "Enable **Container Insights** on all clusters-prefer `enhanced` for deeper visibility. Apply at account level for new clusters and enforce via automation.\n\nUse **least privilege** for access to metrics/logs, encrypt logs, and set **alarms** on critical metrics. Correlate with app logs and tracing for **defense in depth** and faster incident detection.",
|
||||
"Url": "https://hub.prowler.com/check/ecs_cluster_container_insights_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
|
||||
@@ -1,32 +1,41 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_service_fargate_latest_platform_version",
|
||||
"CheckTitle": "ECS Fargate services should run on the latest Fargate platform version",
|
||||
"CheckTitle": "ECS Fargate service uses the latest Fargate platform version",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:service/{service-name}",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsEcsService",
|
||||
"Description": "This control checks if Amazon ECS Fargate services are running the latest Fargate platform version. The control fails if the platform version is not the latest.",
|
||||
"Risk": "Not running the latest Fargate platform version may expose your services to security vulnerabilities and bugs that are resolved in newer versions.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html",
|
||||
"Description": "**ECS Fargate services** use the **latest Fargate platform version** via `platformVersion`=`LATEST` or an explicit value matching the current release for their `platformFamily` (Linux/Windows).",
|
||||
"Risk": "Running on an outdated platform leaves known CVEs in the kernel/runtime unpatched, risking:\n- **Confidentiality**: data exposure via container escape\n- **Integrity**: privilege escalation and tampering\n- **Availability**: crashes/DoS and instability under load",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://servian.dev/setting-up-fargate-for-ecs-exec-8f5cc8d7d80e",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform-fargate.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECS/platform-version.html",
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-10"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs update-service --cluster <cluster-name> --service <service-name> --platform-version LATEST",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-10",
|
||||
"Terraform": ""
|
||||
"NativeIaC": "```yaml\n# CloudFormation: set ECS Fargate service to latest platform version\nResources:\n <example_resource_name>:\n Type: AWS::ECS::Service\n Properties:\n Cluster: <example_resource_id>\n TaskDefinition: <example_resource_name>\n LaunchType: FARGATE\n PlatformVersion: LATEST # Critical: use the latest Fargate platform version\n NetworkConfiguration:\n AwsvpcConfiguration:\n Subnets:\n - <example_resource_id>\n```",
|
||||
"Other": "1. In the AWS Console, go to Amazon ECS\n2. Open your cluster and select the service\n3. Click Update\n4. Set Platform version to LATEST\n5. Click Update service (or Deploy) to apply",
|
||||
"Terraform": "```hcl\n# ECS Fargate service using the latest platform version\nresource \"aws_ecs_service\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n cluster = \"<example_resource_id>\"\n task_definition = \"<example_resource_name>\"\n launch_type = \"FARGATE\"\n platform_version = \"LATEST\" # Critical: ensures the latest Fargate platform version\n\n network_configuration {\n subnets = [\"<example_resource_id>\"]\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Update your ECS Fargate services to the latest platform version to ensure they are running in a secure and optimized environment.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html"
|
||||
"Text": "- Prefer `platformVersion` `LATEST` to receive patches.\n- If pinning, monitor releases and redeploy quickly to the current version.\n- Automate updates with staged rollouts in CI/CD.\n- Apply **defense in depth** and **least privilege** to limit runtime exploit impact.",
|
||||
"Url": "https://hub.prowler.com/check/ecs_service_fargate_latest_platform_version"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"vulnerabilities"
|
||||
"vulnerabilities",
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -1,28 +1,34 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_service_no_assign_public_ip",
|
||||
"CheckTitle": "ECS services should not assign public IPs automatically",
|
||||
"CheckTitle": "ECS service does not have automatic public IP assignment",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:service/{service-name}",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "AwsEcsService",
|
||||
"Description": "This control checks whether Amazon ECS services are configured to automatically assign public IP addresses. The control fails if AssignPublicIP is ENABLED and passes if it is DISABLED.",
|
||||
"Risk": "Having public IP addresses assigned to ECS services automatically can expose services to the internet, increasing the risk of unauthorized access, data breaches, and cyberattacks.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html",
|
||||
"Description": "**ECS services** are assessed for automatic public IP assignment via the `assignPublicIp` setting in their network configuration.\n\nThe finding indicates whether tasks launched by the service receive a public IP or are limited to private addressing.",
|
||||
"Risk": "Automatic **public IPs** make tasks directly reachable from the Internet, enabling:\n- Port scanning and remote exploitation\n- Brute-force against admin endpoints\n- Data exfiltration via exposed APIs\nThis jeopardizes **confidentiality**, **integrity**, and **availability**, and can facilitate lateral movement within the VPC.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-2",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs update-service --cluster <cluster-name> --service <service-name> --network-configuration 'awsvpcConfiguration={assignPublicIp=DISABLED}'",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-2",
|
||||
"Terraform": ""
|
||||
"CLI": "aws ecs update-service --cluster <cluster-name> --service <service-name> --network-configuration \"awsvpcConfiguration={subnets=[<subnet-id>],assignPublicIp=DISABLED}\"",
|
||||
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECS::Service\n Properties:\n Cluster: <example_resource_id>\n TaskDefinition: <example_resource_id>\n NetworkConfiguration:\n AwsvpcConfiguration:\n Subnets:\n - <example_resource_id>\n AssignPublicIp: DISABLED # Critical: disables automatic public IP assignment for the service\n```",
|
||||
"Other": "1. In the AWS Console, go to ECS > Clusters and open your cluster\n2. Select the service and click Update\n3. Under Networking (awsvpc), set Assign public IP to Disabled\n4. Click Update service to apply",
|
||||
"Terraform": "```hcl\nresource \"aws_ecs_service\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n cluster = \"<example_resource_id>\"\n task_definition = \"<example_resource_id>\"\n\n network_configuration {\n subnets = [\"<example_resource_id>\"]\n assign_public_ip = false # Critical: disables automatic public IP assignment\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Disable automatic public IP address assignment for your ECS services to ensure they are not publicly accessible.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security.html"
|
||||
"Text": "Disable `assignPublicIp` to keep tasks private. Expose services through **load balancers** or **private endpoints**, restrict ingress with **least-privilege** security groups, and route egress via **NAT**. Apply **defense in depth** (WAF, TLS, monitoring) and segment networks to minimize blast radius.",
|
||||
"Url": "https://hub.prowler.com/check/ecs_service_no_assign_public_ip"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
|
||||
@@ -1,32 +1,39 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_task_definitions_containers_readonly_access",
|
||||
"CheckTitle": "ECS containers should be limited to read-only access to root filesystems",
|
||||
"CheckTitle": "ECS task definition has all containers with read-only root filesystems",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
"Software and Configuration Checks/AWS Security Best Practices",
|
||||
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
||||
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "taskDefinition",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:task-definition/{task-definition-name}",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "AwsEcsTaskDefinition",
|
||||
"Description": "This control checks if Amazon ECS containers are limited to read-only access to mounted root filesystems. The control fails if the readonlyRootFilesystem parameter is set to false or if the parameter doesn't exist in the container definition.",
|
||||
"Risk": "If ECS containers have write access to root filesystems, it increases the risk of filesystem tampering and exploitation of vulnerabilities, violating the principle of least privilege.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-readonly-access.html",
|
||||
"Description": "Amazon ECS task definitions specify whether container root filesystems are **read-only** via `readonlyRootFilesystem`. Containers where this setting is absent or set to `false` effectively have write access to the root filesystem.",
|
||||
"Risk": "A **writable root filesystem** enables runtime tampering and persistence. Attackers can modify binaries or configs, drop implants, or delete critical files, degrading **integrity** and **availability**. Access to writable paths can also expose secrets and logs, eroding **confidentiality** and complicating incident response.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-readonly-access.html",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_definition_parameters.html#container_definition_readonly",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"readonlyRootFilesystem\":true}]'",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5",
|
||||
"Terraform": ""
|
||||
"NativeIaC": "```yaml\n# CloudFormation: ECS task definition with read-only root filesystem\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: <example_resource_name>\n Image: <image>\n ReadonlyRootFilesystem: true # Critical: enforces read-only root FS for the container\n```",
|
||||
"Other": "1. In the AWS Console, go to Amazon ECS > Task Definitions\n2. Select the task family <task-family> and click Create new revision\n3. For each container, edit and enable Read-only root filesystem (readonlyRootFilesystem = true)\n4. Click Create to register the new revision\n5. (If needed) Update services to use the new revision",
|
||||
"Terraform": "```hcl\n# ECS task definition with read-only root filesystem\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"<image>\"\n readonlyRootFilesystem = true # Critical: enforces read-only root FS for the container\n }\n ])\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure that containers have read-only access to their root filesystems to limit write access and reduce the attack surface.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_definition_parameters.html#container_definition_readonly"
|
||||
"Text": "Enforce `readonlyRootFilesystem: true` for containers.\n- Grant write access only via specific volumes required by the app\n- Apply **least privilege** and **defense in depth**: run as non-root, drop unnecessary capabilities, and keep images immutable so runtime writes aren't needed",
|
||||
"Url": "https://hub.prowler.com/check/ecs_task_definitions_containers_readonly_access"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"vulnerabilities"
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -1,32 +1,40 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_task_definitions_host_namespace_not_shared",
|
||||
"CheckTitle": "ECS task definitions should not share the host's process namespace",
|
||||
"CheckTitle": "ECS task definition does not share the host's process namespace with its containers",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
"Software and Configuration Checks/AWS Security Best Practices",
|
||||
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks",
|
||||
"TTPs/Privilege Escalation",
|
||||
"TTPs/Discovery"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:task-definition/{task-definition-name}",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "AwsEcsTaskDefinition",
|
||||
"Description": "This control checks if Amazon ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task definition shares the host's process namespace.",
|
||||
"Risk": "Sharing the host's process namespace with containers exposes host processes, potentially allowing unauthorized access or manipulation of host-level processes, undermining container isolation.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-pid-mode-check.html",
|
||||
"Description": "**ECS task definitions** where `pidMode` is `host` are configured to share the host's **process namespace** with containers, rather than using isolated task or private namespaces.",
|
||||
"Risk": "**Host PID sharing** lets containers view and interact with host processes, eroding isolation.\n- Confidentiality: process enumeration and metadata leakage\n- Integrity/Availability: signal or `ptrace` tampering, killing services\n\nEnables lateral movement and privilege escalation from a compromised container.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-3",
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-pid-mode-check.html",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_definition_parameters.html#container_definition_pid_mode"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"pidMode\":\"task\"}]'",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-3",
|
||||
"Terraform": ""
|
||||
"CLI": "aws ecs register-task-definition --family <example_resource_name> --pid-mode task --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\"}]'",
|
||||
"NativeIaC": "```yaml\n# CloudFormation: ECS Task Definition without host PID namespace\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: <container-name>\n Image: <image>\n PidMode: task # Critical: ensures containers use task PID namespace, not host\n```",
|
||||
"Other": "1. In the AWS Console, go to Amazon ECS > Task Definitions\n2. Select the task definition and click Create new revision\n3. Set Process namespace sharing (PID mode) to Task (not Host)\n4. Save the new revision\n5. (If the previous Host PID revision remains active) Select that revision and click Deregister",
|
||||
"Terraform": "```hcl\n# ECS Task Definition without host PID namespace\nresource \"aws_ecs_task_definition\" \"example\" {\n family = \"<example_resource_name>\"\n container_definitions = jsonencode([{ name = \"<container-name>\", image = \"<image>\" }])\n pid_mode = \"task\" # Critical: prevents sharing the host's process namespace\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Avoid sharing the host's process namespace with containers to maintain process isolation and enhance security.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_definition_parameters.html#container_definition_pid_mode"
|
||||
"Text": "Prefer **isolated PID namespaces**: set `pidMode=task` or use the default per-container namespace. Avoid `host` PID sharing except for tightly controlled diagnostics.\n\nApply **least privilege**: non-root users, minimal capabilities, read-only filesystems; and **defense in depth** with network and runtime controls.",
|
||||
"Url": "https://hub.prowler.com/check/ecs_task_definitions_host_namespace_not_shared"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"vulnerabilities"
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -1,32 +1,45 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_task_definitions_host_networking_mode_users",
|
||||
"CheckTitle": "Amazon ECS task definitions should have secure networking modes and user definitions",
|
||||
"CheckTitle": "Amazon ECS task definition does not use host network mode, or non-privileged containers specify a non-root user",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
||||
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
|
||||
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
||||
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks",
|
||||
"TTPs/Privilege Escalation",
|
||||
"TTPs/Lateral Movement"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:region:account-id:task-definition/resource-id",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "AwsEcsTaskDefinition",
|
||||
"Description": "This control checks whether an active Amazon ECS task definition with host networking mode has privileged or user container definitions. The control fails for task definitions that have host network mode and container definitions of privileged=false or empty, and user=root or empty.",
|
||||
"Risk": "If ECS tasks are configured with host networking and either lack a defined user or run with elevated privileges, this can lead to privilege escalation, unauthorized access to resources, and increased exposure to vulnerabilities.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html",
|
||||
"Description": "**Amazon ECS task definitions** in `host` network mode are assessed for containers where `privileged=false` and the container `user` is `root` or unset.",
|
||||
"Risk": "Sharing the host network lets containers reach host interfaces directly. Running as **root** (or with no user set) increases the chance to bind low ports, sniff traffic, or impersonate services, and makes kernel flaws more exploitable-enabling data exfiltration, tampering, and outages, impacting **confidentiality**, **integrity**, and **availability**.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-6",
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs update-task-definition --task-definition <task-definition-name> --network-mode awsvpc --requires-compatibilities FARGATE --user <user-name>",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-6",
|
||||
"Terraform": ""
|
||||
"CLI": "",
|
||||
"NativeIaC": "```yaml\n# CloudFormation: ECS task definition not using host network mode\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n NetworkMode: awsvpc # CRITICAL: avoids host mode to pass the check\n ContainerDefinitions:\n - Name: <example_resource_name>\n Image: <image>\n```",
|
||||
"Other": "1. Open the Amazon ECS console and go to Task definitions\n2. Select the task definition and choose the latest revision\n3. Click Create new revision\n4. Set Network mode to awsvpc (not host)\n5. Save the revision and, if used by a service, update the service to this new revision\n6. If you must keep host mode: edit each non-privileged container and set User to a non-root value (e.g., 1000) and save a new revision",
|
||||
"Terraform": "```hcl\n# ECS task definition not using host network mode\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n network_mode = \"awsvpc\" # CRITICAL: avoids host mode to pass the check\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"nginx\"\n }\n ])\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure your ECS task definitions use the awsvpc networking mode and have secure user configurations when using host networking mode.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html"
|
||||
"Text": "Prefer **`awsvpc`** for isolation. If `host` is required, enforce **least privilege**:\n- Run as a non-root `user`\n- Avoid `privileged` unless strictly justified\n- Limit capabilities and exposed ports\n\nApply **defense in depth** with network segmentation and minimal IAM permissions.",
|
||||
"Url": "https://hub.prowler.com/check/ecs_task_definitions_host_networking_mode_users"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"trustboundaries"
|
||||
"container-security",
|
||||
"trust-boundaries"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -1,32 +1,39 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_task_definitions_logging_block_mode",
|
||||
"CheckTitle": "ECS task definitions containers should have a logging configured with non blocking mode",
|
||||
"CheckTitle": "ECS task definition has container logging in non-blocking mode",
|
||||
"CheckType": [
|
||||
"Resilience"
|
||||
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
|
||||
"Effects/Denial of Service"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:task-definition/{task-definition-name}",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "low",
|
||||
"ResourceType": "AwsEcsTaskDefinition",
|
||||
"Description": "This control checks if the latest active Amazon ECS task definition has a logging configuration set to non blocking mode.",
|
||||
"Risk": "When logs cannot be immediately sent to Amazon CloudWatch, calls from container code to write to stdout or stderr will block and halt execution of the code. The logging thread in the application will block, which may prevent the application from functioning and lead to health check failures and task termination. Container startup fails if the required log group or log stream cannot be created.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html",
|
||||
"Description": "**ECS task definition containers** use **non-blocking logging mode** via the `logConfiguration.mode` option on the latest active revision",
|
||||
"Risk": "**Blocking log mode** can stall writes to stdout/stderr, making containers unresponsive, failing health checks, and causing task restarts or startup failures if log groups/streams can't be created. This reduces **availability** and may trigger cascading instability across dependent services.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html",
|
||||
"https://www.amazonaws.cn/en/blog-selection/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#specify-log-config"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-group\":\"<log-group>\",\"awslogs-region\":\"<region>\",\"awslogs-stream-prefix\":\"ecs\",\"mode\":\"non-blocking\"}}}]'",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-ec2-awslogs-driver-blockingmode",
|
||||
"Terraform": ""
|
||||
"NativeIaC": "```yaml\n# CloudFormation: ECS Task Definition with non-blocking container logging\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: <example_resource_name>\n Image: <image>\n LogConfiguration:\n LogDriver: awslogs\n Options:\n awslogs-group: <log-group>\n awslogs-region: <region>\n awslogs-stream-prefix: ecs\n mode: non-blocking # CRITICAL: sets logging to non-blocking to pass the check\n```",
|
||||
"Other": "1. Open the AWS Console and go to ECS > Task Definitions\n2. Select the failing task definition and choose Create new revision\n3. Edit the affected container > Log configuration\n4. Set Log driver to awslogs and add option: mode = non-blocking\n5. Ensure awslogs-group, awslogs-region, and (if needed) awslogs-stream-prefix are set\n6. Save and Create; the new revision will have non-blocking logging",
|
||||
"Terraform": "```hcl\n# ECS Task Definition with container logging set to non-blocking\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n\n # CRITICAL: \"mode\": \"non-blocking\" in logConfiguration options enforces non-blocking logging\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"<image>\"\n logConfiguration = {\n logDriver = \"awslogs\"\n options = {\n awslogs-group = \"<log-group>\"\n awslogs-region = \"<region>\"\n awslogs-stream-prefix = \"ecs\"\n mode = \"non-blocking\" # CRITICAL: required to pass the check\n }\n }\n }\n ])\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Configure logging in ECS task definition to non blocking mode to ensure any issues writing logs will not block or halt the container execution.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#specify-log-config"
|
||||
"Text": "Set `logConfiguration.mode` to `non-blocking` for all containers and size `max-buffer-size` to handle bursts. Keep log destinations in-Region to lower latency. Apply **defense in depth**: decouple application execution from logging, monitor log throughput, and design for backpressure so logging never blocks runtime.",
|
||||
"Url": "https://hub.prowler.com/check/ecs_task_definitions_logging_block_mode"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"logging"
|
||||
"logging",
|
||||
"resilience"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -1,28 +1,34 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_task_definitions_logging_enabled",
|
||||
"CheckTitle": "ECS task definitions containers should have a logging configuration",
|
||||
"CheckTitle": "ECS task definition has logging configured for all containers",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
|
||||
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:task-definition/{task-definition-name}",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "AwsEcsTaskDefinition",
|
||||
"Description": "This control checks if the latest active Amazon ECS task definition has a logging configuration specified. The control fails if the task definition doesn't have the logConfiguration property defined or if the value for logDriver is null in at least one container definition.",
|
||||
"Risk": "Without a logging configuration, important data may be lost, making it difficult to troubleshoot issues, monitor performance, and ensure compliance with auditing requirements.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html",
|
||||
"Description": "**Amazon ECS task definition** containers specify a **logging configuration** with a non-null `logDriver` for every container in the latest active revision.",
|
||||
"Risk": "Absent container logs erode visibility, letting intrusions, data exfiltration, and configuration tampering go undetected.\n\nMissing audit trails weaken confidentiality and integrity, hinder forensics, and increase MTTR during outages, impacting availability and compliance evidence.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-9",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#specify-log-config",
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-group\":\"<log-group>\",\"awslogs-region\":\"<region>\",\"awslogs-stream-prefix\":\"ecs\"}}}]'",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-9",
|
||||
"Terraform": ""
|
||||
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-group\":\"<log-group>\",\"awslogs-region\":\"<region>\"}}}]'",
|
||||
"NativeIaC": "```yaml\n# CloudFormation: ECS task definition with logging enabled for the container\nResources:\n ExampleTaskDefinition:\n Type: AWS::ECS::TaskDefinition\n Properties:\n ContainerDefinitions:\n - Name: \"<example_resource_name>\"\n Image: \"<image>\"\n LogConfiguration: # Critical: ensures container has logging configured\n LogDriver: awslogs # Critical: non-null log driver passes the check\n Options:\n awslogs-group: \"<log-group>\" # Critical: CloudWatch Logs group\n awslogs-region: \"<region>\"\n```",
|
||||
"Other": "1. In the AWS Console, go to Amazon ECS > Task Definitions\n2. Select your task definition and click Create new revision\n3. For each container, open Edit and set Log configuration to awslogs\n4. Set Log group to the desired CloudWatch Logs group and select the Region\n5. Save and Create to register the new revision (ensure all containers have logging)",
|
||||
"Terraform": "```hcl\n# ECS task definition with logging enabled for the container\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"<image>\"\n logConfiguration = { # Critical: enables container logging\n logDriver = \"awslogs\" # Critical: non-null log driver passes the check\n options = {\n awslogs-group = \"<log-group>\" # Critical: CloudWatch Logs group\n awslogs-region = \"<region>\"\n }\n }\n }\n ])\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Define a logging configuration in the ECS task definition to ensure important data is captured and available for debugging, monitoring, and auditing purposes.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#specify-log-config"
|
||||
"Text": "Implement centralized, tamper-resistant **container logging** for all tasks. Define a `logDriver` per container and ship logs to a managed destination with restricted access. Apply **least privilege**, encryption, and retention. Monitor and alert on anomalies. *If using external collectors, ensure equivalent coverage and durability.*",
|
||||
"Url": "https://hub.prowler.com/check/ecs_task_definitions_logging_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
|
||||
@@ -1,30 +1,34 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_task_definitions_no_environment_secrets",
|
||||
"CheckTitle": "Check if secrets exists in ECS task definitions environment variables",
|
||||
"CheckTitle": "ECS task definition has no secrets in environment variables",
|
||||
"CheckType": [
|
||||
"Protect",
|
||||
"Secure development",
|
||||
"Credentials not hard-coded"
|
||||
"Software and Configuration Checks/AWS Security Best Practices",
|
||||
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
||||
"Sensitive Data Identifications/Passwords",
|
||||
"TTPs/Credential Access"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "critical",
|
||||
"ResourceType": "AwsEcsTaskDefinition",
|
||||
"Description": "Check if secrets exists in ECS task definitions environment variables.",
|
||||
"Risk": "The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used, it is possible that malicious users gain access through the account in question.",
|
||||
"Description": "**ECS task definitions** are analyzed for **plaintext secrets** placed in container `environment` variables. It identifies values that resemble credentials (keys, tokens, passwords) within container definitions.",
|
||||
"Risk": "Exposed secrets in env vars undermine confidentiality via logs, task metadata, and introspection.\n\nWith container or read-only API access, attackers can reuse credentials to read databases, modify records (integrity), pivot to other services, and trigger outages or unauthorized costs (availability).",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: app\n Image: <image>\n Secrets: # Critical: use Secrets instead of plaintext env vars\n - Name: DB_PASSWORD # Critical: inject secret at runtime\n ValueFrom: <secret_arn_or_parameter_arn> # Critical: reference Secrets Manager/SSM parameter\n```",
|
||||
"Other": "1. In the AWS Console, go to ECS > Task Definitions and open your task definition\n2. Create a new revision\n3. For each container, remove any sensitive values from Environment variables\n4. Under Environment variables, add a new entry in the Secrets section with Name (e.g., DB_PASSWORD) and ValueFrom pointing to your Secrets Manager/SSM parameter\n5. Save to create the new revision\n6. If using a service, update the service to use the new task definition revision and deploy",
|
||||
"Terraform": "```hcl\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n # Critical: define container secrets instead of plaintext env vars\n container_definitions = jsonencode([\n {\n name = \"app\"\n image = \"<image>\"\n secrets = [\n { name = \"DB_PASSWORD\", valueFrom = \"<secret_arn_or_parameter_arn>\" } # Critical: inject secret at runtime\n ]\n }\n ])\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Use Secrets Manager or Parameter Store to securely provide credentials to containers without hardcoding the secrets in code or passing them through environment variables. It is currently not possible to delete task definition revisions which contain plaintext secrets. AWS is looking into implementing this feature in 2023, and it is therefore recommended that all plaintext secrets are rotated at the same time as moving the secrets to Secrets Manager or Parameter Store.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html"
|
||||
"Text": "Store secrets in **AWS Secrets Manager** or **SSM Parameter Store** and inject them at runtime instead of plaintext env vars.\n\nApply **least privilege** via task roles, enable regular **rotation**, avoid logging secret values, and prefer **ephemeral credentials** for downstream services.",
|
||||
"Url": "https://hub.prowler.com/check/ecs_task_definitions_no_environment_secrets"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
|
||||
@@ -1,32 +1,39 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_task_definitions_no_privileged_containers",
|
||||
"CheckTitle": "ECS task definitions shouldn't have privileged containers",
|
||||
"CheckTitle": "ECS task definition has no privileged containers",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
"Software and Configuration Checks/AWS Security Best Practices",
|
||||
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks",
|
||||
"TTPs/Privilege Escalation"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "taskDefinition",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:task-definition/{task-definition-name}",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "AwsEcsTaskDefinition",
|
||||
"Description": "This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true.",
|
||||
"Risk": "Running containers with elevated privileges increases the risk of privilege escalation attacks, potentially allowing unauthorized access to the host and other containers.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-nonprivileged.html",
|
||||
"Description": "**Amazon ECS task definitions** are evaluated for containers configured with **privileged mode** (`privileged: true`).\n\nThe outcome indicates whether any container definition enables this setting.",
|
||||
"Risk": "**Privileged containers** can act with host-level root, breaking isolation. A foothold lets attackers achieve **container escape**, mount host devices, read secrets, alter configs, and control other workloads-impacting confidentiality, integrity, and availability via data theft, tampering, and service disruption.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-nonprivileged.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-4",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"privileged\":false}]'",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-4",
|
||||
"Terraform": ""
|
||||
"CLI": "aws ecs deregister-task-definition --task-definition <task-family>:<revision>",
|
||||
"NativeIaC": "```yaml\n# CloudFormation: ECS task definition with non-privileged container\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: <example_resource_name>\n Image: <image>\n Privileged: false # Critical: ensures container is non-privileged to pass the check\n```",
|
||||
"Other": "1. Open the Amazon ECS console and go to Task definitions\n2. Select the failing task definition family and open the failing revision\n3. Click Create new revision\n4. Edit the affected container and uncheck Privileged (set it to false)\n5. Click Create to register the new revision",
|
||||
"Terraform": "```hcl\n# ECS task definition with non-privileged container\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"<image>\"\n privileged = false # Critical: ensures container is non-privileged to pass the check\n }\n ])\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure that containers are running without elevated privileges to minimize the risk of privilege escalation.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security"
|
||||
"Text": "Run containers without elevated rights (`privileged: false`) and as non-root (`user`). Apply **least privilege**:\n- Grant only required Linux capabilities via `capDrop`/`capAdd`\n- Prefer `readonlyRootFilesystem: true`\n- Isolate networks and separate duties\n- Monitor with logging to support defense in depth",
|
||||
"Url": "https://hub.prowler.com/check/ecs_task_definitions_no_privileged_containers"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
"vulnerabilities"
|
||||
"container-security"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
|
||||
@@ -1,28 +1,34 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "ecs_task_set_no_assign_public_ip",
|
||||
"CheckTitle": "ECS task sets should not automatically assign public IP addresses",
|
||||
"CheckTitle": "ECS task set does not automatically assign a public IP address",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
||||
"Effects/Data Exposure"
|
||||
],
|
||||
"ServiceName": "ecs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:task-set/{cluster-name}/{service-name}/{task-set-id}",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "AwsEcsTaskSet",
|
||||
"Description": "This control checks whether an Amazon ECS task set is configured to automatically assign public IP addresses. The control fails if AssignPublicIP is set to ENABLED.",
|
||||
"Risk": "A public IP address is reachable from the internet, potentially exposing resources associated with the ECS task set. ECS task sets shouldn't be publicly accessible, as this may allow unintended access to container application servers.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskSet.html",
|
||||
"ResourceType": "AwsEcsService",
|
||||
"Description": "**ECS task sets** are assessed for **automatic public IP assignment** via `AssignPublicIP`. When set to `ENABLED`, tasks are given public addresses in their network configuration.",
|
||||
"Risk": "Public IPs make tasks directly reachable from the Internet, enabling scanning, brute force, and exploit attempts.\n\nImpacts: **confidentiality** (data exposure), **integrity** (unauthorized actions), **availability** (DoS). Attackers can bypass internal controls and pivot for lateral movement.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html",
|
||||
"https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskSet.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-16"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws ecs update-service --cluster <cluster-name> --service <service-name> --network-configuration 'awsvpcConfiguration={assignPublicIp=\"DISABLED\"}'",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-16",
|
||||
"Terraform": ""
|
||||
"CLI": "",
|
||||
"NativeIaC": "```yaml\n# CloudFormation to ensure ECS Task Set does not auto-assign public IP\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskSet\n Properties:\n Cluster: \"<example_resource_id>\"\n Service: \"<example_resource_id>\"\n TaskDefinition: \"<example_resource_id>\"\n NetworkConfiguration:\n AwsvpcConfiguration:\n AssignPublicIp: DISABLED # CRITICAL: disables automatic public IP assignment\n Subnets:\n - \"<example_resource_id>\"\n```",
|
||||
"Other": "1. In the AWS Console, go to ECS > Clusters > select your cluster\n2. Open your Service and choose Update (or Edit)\n3. In Networking, set Public IP assignment to Disabled\n4. Save/Deploy the update to create a new deployment/task set\n5. After the new task set is Primary and stable, delete the old task set that had Public IP enabled",
|
||||
"Terraform": "```hcl\n# ECS Task Set with public IP assignment disabled\nresource \"aws_ecs_task_set\" \"<example_resource_name>\" {\n cluster = \"<example_resource_id>\"\n service = \"<example_resource_id>\"\n task_definition = \"<example_resource_id>\"\n\n network_configuration {\n subnets = [\"<example_resource_id>\"]\n assign_public_ip = false # CRITICAL: disables automatic public IP assignment\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Configure ECS task sets to not assign public IP addresses to prevent unintended public access to your containerized applications.",
|
||||
"Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html"
|
||||
"Text": "Disable **automatic public IPs** on task sets.\n\nUse private subnets behind controlled entry points (load balancers, API gateways, or service discovery). Enforce **least privilege** security groups and **defense in depth**. Prefer private connectivity (VPC endpoints/VPN). *Expose only frontends, not tasks.*",
|
||||
"Url": "https://hub.prowler.com/check/ecs_task_set_no_assign_public_ip"
|
||||
}
|
||||
},
|
||||
"Categories": [
|
||||
|
||||
Reference in New Issue
Block a user