🛡️ AWS ECS Task Definition shares the host's process namespace🟢

Contextual name: 🛡️ Task Definition shares the host's process namespace🟢
ID: /ce/ca/aws/ecs/task-definition-pid-mode
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS ECS Task Definition
- 🔌 AWS ECS Task Definition - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [ECS.3] ECS task definitions should not share the host's process namespace

Description

Description

This policy identifies AWS ECS Task Definitions where the pidMode parameter is configured as host.

When pidMode is set to host, containers within the task share the process ID (PID) namespace of the underlying EC2 host instance. This effectively allows containerized processes to behave as though they are running directly on the host instead of within an isolated container environment.

Rationale

Process isolation is a core security feature of containerized workloads. Under normal operation, containers have their own dedicated PID namespace, limiting visibility to processes running solely within that container.

Enabling host PID mode removes this isolation and allows containerized processes to:

View all processes running on the host system, including system daemons and processes from other containers.

Interact with host-level processes, potentially sending signals (e.g., kill) to critical system components if elevated privileges are present.

Access sensitive information that may be exposed through process listings, such as command-line arguments or environment variables.

... see more

Remediation

Open File

Remediation

Update the ECS Task Definition to Set PID Mode

Using the AWS CLI
Retrieve the existing task definition JSON
aws ecs describe-task-definition \
    --task-definition {{family-or-full-arn}} \
    --query 'taskDefinition' > task-def.json
Edit task-def.json

Locate the pidMode key and remove it, or set it to task.
{
    "family": "{{my-task}}",
    ...
    "pidMode": "task", 
    ...
}   
Register the updated task definition
aws ecs register-task-definition --cli-input-json file://task-def.json
Update your ECS service to use the new task definition revision

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.3] ECS task definitions should not share the host's process namespace			1	no data
💼 Cloudaware Framework → 💼 Secure Access			74	no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47	no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Remediation​

Remediation​

Update the ECS Task Definition to Set PID Mode​

Using the AWS CLI​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Remediation

Remediation

Update the ECS Task Definition to Set PID Mode

Using the AWS CLI

policy.yaml

Linked Framework Sections