Skip to main content

πŸ›‘οΈ AWS ECS Task Definition with Host Network Mode runs containers as root🟒

  • Contextual name: πŸ›‘οΈ Task Definition with Host Network Mode runs containers as root🟒
  • ID: /ce/ca/aws/ecs/task-definition-host-network-root-user
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS ECS Task Definitions that are configured to use the host network mode while simultaneously allowing containers to run with root privileges (User ID 0).

When Network Mode is set to host, the container shares the network namespace of the underlying EC2 instance. If a process within such a container runs as root and an attacker gains the ability to escape the container runtime, they could potentially obtain unauthorized access to the host’s network interfaces, capture traffic, or modify network configurations.

Rationale​

Using the host network mode significantly reduces network isolation between the container and the host. When combined with root-level privileges, this creates a high-risk security scenario:

  1. Privilege Escalation: If a container escape occurs, the attacker would inherit root privileges and direct access to the host’s network stack.
  2. Traffic Interception: A compromised root-level container on the host network could inspect or intercept traffic intended for other services running on the same host.

... see more

Remediation​

Open File

Remediation​

Update the ECS Task Definition to Run Containers as a Non-Root User​

Using the AWS CLI​

  1. Retrieve the existing task definition JSON

    aws ecs describe-task-definition \
        --task-definition {{family-or-full-arn}} \
        --query 'taskDefinition' > task-def.json

  2. Edit task-def.json

    In the containerDefinitions array, update each container to run as a non-root user by setting the user parameter to a non-zero UID.

    "containerDefinitions": [
        {
            "name": "{{my-app}}",
            "image": "{{my-image}}",
            "user": "{{1000}}",
            ...
        }
    ]

  3. Register the updated task definition

    aws ecs register-task-definition --cli-input-json file://task-def.json

  4. Update your ECS service to use the new task definition revision

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access74no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)27no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3784no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81179no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)27no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)679no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected183no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage122no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management427no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15559no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control31no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control22no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-5 Separation of Duties18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102372no data