AWS ECS Task Definition Elevated Privileges Enabled

Ensure your ECS containers are not given elevated privileges on the host container instance. When the Privileged parameter is true, the container is given elevated privileges on the host container instance (similar to the root user). This policy checks the security configuration of your task definition and alerts if elevated privileges are enabled. Note: This parameter is not supported for Windows containers or tasks using the Fargate launch type.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
CloudFormation

Build Rules

AWS ECS task definition elevated privileges enabled.
JSON Query:
$.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Privileged any equal true
Recommendation:
Recommended solution for AWS ECS task definition not having elevated privileges enabled.
It is recommended that AWS ECS task definition should not have elevated privilege enabled. Please make sure your template has "Privileged" set to "false".
For example:
"ContainerDefinitions" : [ { "Name": {"Ref": "AppName"}, "ReadonlyRootFilesystem": true, "Image":"amazon/amazon-ecs-sample", "Cpu": "10", "Memory":"0.5GB", "Essential": "true", "LogConfiguration": { "LogDriver" : "dummy" }, "Privileged" : false }]

Run Rule Recommendation

Create a task definition revision.
  1. Open the Amazon ECS console.
  2. From the navigation bar, choose the region that contains your task definition.
  3. In the navigation pane, choose Task Definitions.
  4. On the Task Definitions page, select the box to the left of the task definition to revise and choose Create new revision.
  5. On the Create new revision of Task Definition page, change the existing Container Definitions.
  6. Under Security, uncheck the Privileged box.
  7. Verify the information and choose Update, then Create.
  8. If your task definition is used in a service, update your service with the updated task definition.
  9. Deactivate previous task definition.

Compliance

There are 2 standards that are applicable to this policy:
  • PIPEDA
  • CCPA 2018

Recommended For You