Skip to main content

lacework-global-374

Elastic Container Service (ECS) task definitions should not share the host's process namespace (Manual)

Description

A Process ID (PID) namespace provides separation between processes. It prevents system processes from being visible, and allows reuse of PIDs, including PID 1. Sharing the host's PID namespace with containers would allow containers to see all of the processes on the host system.

This reduces the benefit of process level isolation between the host and the containers. These circumstances could lead to unauthorized access to processes on the host itself, including the ability to manipulate and terminate them.

Customers should not share the host's process namespace with containers running on it.

Remediation

From the AWS console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Containers > Elastic Container Service.
  4. In the left hand pane, click Task definitions.
  5. Select the task definition sharing the host's process namespace.
  6. Select the task definition revision and click Create new revision.
  7. Under Container, ensure that pidMode is not set to host in the docker configuration.
  8. Click Create.

From CLI:

Create a JSON file containing the container definition for use in the task definition, then run the following command:

aws ecs register-task-definition --family <task_definition_name> --container-definitions <container_definition_json> --pid-mode task

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-3
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_pidmode

Last updated on