--- policy: /ce/ca/aws/ecs/task-definition-pid-mode logic: /ce/ca/aws/ecs/task-definition-pid-mode/prod.logic.yaml executionTime: 2026-06-06T12:02:50.024342496Z generationMs: 41 executionMs: 910 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: UNDETERMINED actual: UNDETERMINED conditionIndex: expected: 101 actual: 101 conditionText: expected: CA10__status__c.delegatedTo(CA10__status__c).isEmpty() actual: CA10__status__c.delegatedTo(CA10__status__c).isEmpty() runtimeError: {} - id: test3 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__status__c') != 'ACTIVE' actual: extract('CA10__status__c') != 'ACTIVE' runtimeError: {} - id: test4 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__pidMode__c') == 'host' actual: extract('CA10__pidMode__c') == 'host' runtimeError: {} - id: test5 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test6 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/ecs/task-definition-pid-mode/policy.yaml md5Hash: 7D6632B08235FC02FFBA299D9530FF42 content: | --- names: full: "AWS ECS Task Definition shares the host's process namespace" contextual: "Task Definition shares the host's process namespace" description: > Ensure that AWS ECS Task Definitions do not configure containers to share the host's process ID (PID) namespace. Sharing the host's PID namespace allows containers to view and interact with all processes on the host system, significantly reducing isolation and increasing security risks. type: "COMPLIANCE_POLICY" categories: - "SECURITY" frameworkMappings: - "/frameworks/cloudaware/resource-security/secure-access" - "/frameworks/aws-fsbp-v1.0.0/ecs/03" similarPolicies: awsSecurityHub: - name: "[ECS.3] ECS task definitions should not share the host's process namespace" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-3" - path: /ce/ca/aws/ecs/task-definition-pid-mode/prod.logic.yaml md5Hash: 864E98AA35A0320E1FB2031CFB1B1E40 content: | --- inputType: "CA10__CaAwsEcsTaskDefinition__c" testData: - file: "test-data.json" importExtracts: - file: "/types/CA10__CaAwsEcsTaskDefinition__c/object.extracts.yaml" conditions: - status: "INAPPLICABLE" currentStateMessage: "The task definition is not active." check: NOT_EQUAL: left: EXTRACT: "CA10__status__c" right: TEXT: "ACTIVE" - status: "INCOMPLIANT" currentStateMessage: "The task definition is configured to share the host's process namespace." remediationMessage: "Create a new task definition revision with 'pidMode' set to 'task' (default) or removed." check: IS_EQUAL: left: EXTRACT: "CA10__pidMode__c" right: TEXT: "host" otherwise: status: "COMPLIANT" currentStateMessage: "The task definition maintains its own process namespace." - path: /ce/ca/aws/ecs/task-definition-pid-mode/test-data.json md5Hash: 021B590D906C02DE2ACA62FF6C8FA152 content: |- [ { "expectedResult": { "runtimeError": null, "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "conditionIndex": 99, "status": "DISAPPEARED" }, "CA10__pidMode__c": "", "context": { "snapshotTime": "2025-12-12T04:42:59Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2025-07-31T04:38:58Z", "CA10__status__c": "ACTIVE" }, { "expectedResult": { "runtimeError": null, "conditionText": "CA10__status__c.delegatedTo(CA10__status__c).isEmpty()", "conditionIndex": 101, "status": "UNDETERMINED" }, "CA10__pidMode__c": "", "context": { "snapshotTime": "2025-12-12T04:42:59Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__status__c": "" }, { "expectedResult": { "runtimeError": null, "conditionText": "extract('CA10__status__c') != 'ACTIVE'", "conditionIndex": 199, "status": "INAPPLICABLE" }, "CA10__pidMode__c": "", "context": { "snapshotTime": "2025-12-12T04:42:59Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "CA10__status__c": "INACTIVE" }, { "expectedResult": { "runtimeError": null, "conditionText": "extract('CA10__pidMode__c') == 'host'", "conditionIndex": 299, "status": "INCOMPLIANT" }, "CA10__pidMode__c": "host", "context": { "snapshotTime": "2025-12-12T04:42:59Z" }, "Id": "test4", "CA10__disappearanceTime__c": null, "CA10__status__c": "ACTIVE" }, { "expectedResult": { "runtimeError": null, "conditionText": "otherwise", "conditionIndex": 300, "status": "COMPLIANT" }, "CA10__pidMode__c": "", "context": { "snapshotTime": "2025-12-12T04:42:59Z" }, "Id": "test5", "CA10__disappearanceTime__c": null, "CA10__status__c": "ACTIVE" }, { "expectedResult": { "runtimeError": null, "conditionText": "otherwise", "conditionIndex": 300, "status": "COMPLIANT" }, "CA10__pidMode__c": "task", "context": { "snapshotTime": "2025-12-12T04:42:59Z" }, "Id": "test6", "CA10__disappearanceTime__c": null, "CA10__status__c": "ACTIVE" } ] - path: /types/CA10__CaAwsEcsTaskDefinition__c/object.extracts.yaml md5Hash: 5F3958CAB2B0FF7CE5C1D38F940B5729 content: "---\nextracts:\n# Values: bridge | host | awsvpc | none\n# Nullable.\n\ \ - name: \"CA10__networkMode__c\"\n value:\n FIELD:\n path:\ \ \"CA10__networkMode__c\"\n# Values: ACTIVE | INACTIVE | DELETE_IN_PROGRESS\n\ # Not nullable. \n - name: \"CA10__status__c\"\n value:\n FIELD:\n\ \ path: \"CA10__status__c\"\n undeterminedIf:\n noAccessDelegate:\n\ \ path: \"CA10__status__c\"\n currentStateMessage: \"\ Task Definition status cannot be empty. Possible permission issue with ecs:DescribeTaskDefinition\"\ \n# Values: task | host\n# Nullable.\n - name: \"CA10__pidMode__c\"\n value:\n\ \ FIELD:\n path: \"CA10__pidMode__c\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "runtimeError" : null, "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "conditionIndex" : 99, "status" : "DISAPPEARED" } }, { "Id" : "test2", "expectedResult" : { "runtimeError" : null, "conditionText" : "CA10__status__c.delegatedTo(CA10__status__c).isEmpty()", "conditionIndex" : 101, "status" : "UNDETERMINED" } }, { "Id" : "test3", "expectedResult" : { "runtimeError" : null, "conditionText" : "extract('CA10__status__c') != 'ACTIVE'", "conditionIndex" : 199, "status" : "INAPPLICABLE" } }, { "Id" : "test4", "expectedResult" : { "runtimeError" : null, "conditionText" : "extract('CA10__pidMode__c') == 'host'", "conditionIndex" : 299, "status" : "INCOMPLIANT" } }, { "Id" : "test5", "expectedResult" : { "runtimeError" : null, "conditionText" : "otherwise", "conditionIndex" : 300, "status" : "COMPLIANT" } }, { "Id" : "test6", "expectedResult" : { "runtimeError" : null, "conditionText" : "otherwise", "conditionIndex" : 300, "status" : "COMPLIANT" } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsEcsTaskDefinition__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-12-12T04:42:59Z") }, "CA10__disappearanceTime__c" : new Date("2025-07-31T04:38:58Z"), "CA10__status__c" : "ACTIVE", "CA10__pidMode__c" : "", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2025-12-12T04:42:59Z") }, "CA10__status__c" : "", "CA10__pidMode__c" : "", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2025-12-12T04:42:59Z") }, "CA10__status__c" : "INACTIVE", "CA10__pidMode__c" : "", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2025-12-12T04:42:59Z") }, "CA10__status__c" : "ACTIVE", "CA10__pidMode__c" : "host", "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2025-12-12T04:42:59Z") }, "CA10__status__c" : "ACTIVE", "CA10__pidMode__c" : "", "Id" : "test5" }, { "context" : { "snapshotTime" : new Date("2025-12-12T04:42:59Z") }, "CA10__status__c" : "ACTIVE", "CA10__pidMode__c" : "task", "Id" : "test6" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsEcsTaskDefinition__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__status__c STRING, CA10__pidMode__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.CA10__status__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__status__c.delegatedTo(CA10__status__c).isEmpty()", currentStateMessage: "Task Definition status cannot be empty. Possible permission issue with ecs:DescribeTaskDefinition", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__status__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('Status [obj.CA10__status__c]: ' + obj.CA10__status__c); try { if (TextLib.notEqual(extract3.call(extract3), 'ACTIVE')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__status__c') != 'ACTIVE'", currentStateMessage: "The task definition is not active.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function extract6() { if (!this.out) { this.out = obj.CA10__pidMode__c; } return this.out; }; references1.push('PID Mode [obj.CA10__pidMode__c]: ' + obj.CA10__pidMode__c); if (TextLib.equal(extract6.call(extract6), 'host')) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__pidMode__c') == 'host'", currentStateMessage: "The task definition is configured to share the host's process namespace.", currentStateReferences: references1.join('\n'), remediation: "Create a new task definition revision with 'pidMode' set to 'task' (default) or removed.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "The task definition maintains its own process namespace.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__status__c AS CA10__status__c, sObject.CA10__pidMode__c AS CA10__pidMode__c, sObject.Id AS Id, process_CA10__CaAwsEcsTaskDefinition__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__status__c AS CA10__status__c, sObject.CA10__pidMode__c AS CA10__pidMode__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsEcsTaskDefinition__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;