lacework-global-375

Elastic Container Service (ECS) containers should run as non-privileged (Manual)

Description

Best practices recommend removing elevated privileges from ECS task definitions. When the privilege parameter is true, the container has elevated privileges on the host container instance (similar to the root user).

Remediation

From the AWS console:

1. Log in to the AWS Management Console.
2. Click Services.
3. Select Containers > Elastic Container Service.
4. In the left hand pane, click Task definitions.
5. Select the task definition running the privileged container.
6. Select the task definition revision and click Create new revision.
7. Under Container, ensure that privileged is not set to true in the docker configuration.
8. Click Create.

From CLI:

Create a JSON file containing the container definition for use in the task definition, with privileged: false, then run the following command:

aws ecs register-task-definition --family <task_definition_name> --container-definitions <container_definition_json>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-4
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security