AWS ECS/ Fargate Task Definition Root User Found

The user name to use inside the container should not be root. This policy generates an alert if root user is found in your container definition. The User parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run Note: This parameter is not supported for Windows containers.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform

Build Rules

AWS ECS/ Fargate task definition root user found.
JSON Query:
$.resource[*].aws_ecs_task_definition[*].*[*].container_definitions[?(@.user=='root')] exists
Recommendation:
Recommended solution making sure that user name to use inside the container is not root.
The user name to use inside the container should not be root. Please make sure that none of the user under container definition is root user.
For example:
"container_definitions": [ {"name": "test-task", "user": "random"} ],

Run Rule Recommendation

Create a task definition revision.
  1. Open the Amazon ECS console.
  2. From the navigation bar, choose the region that contains your task definition.
  3. In the navigation pane, choose Task Definitions.
  4. On the Task Definitions page, select the box to the left of the task definition to revise and choose Create new revision.
  5. On the Create new revision of Task Definition page, change the existing Container Definitions.
  6. Under Security, remove root from the User field.
  7. Verify the information and choose Update, then Create.
  8. If your task definition is used in a service, update your service with the updated task definition.
  9. Deactivate previous task definition.

Recommended For You