🛡️ AWS ECS Task Definition runs as privileged🟢

• Contextual name: 🛡️ Task Definition runs as privileged🟢
• ID: /ce/ca/aws/ecs/task-definition-privileged
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS ECS Task Definition
  • 🔌 AWS ECS Container Definition - object.extracts.yaml
  • 🔌 AWS ECS Task Definition - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [ECS.4] ECS containers should run as non-privileged

Description

Open File

Description

This policy identifies AWS ECS Task Definitions that contain one or more containers configured with the privileged parameter set to true.

When a container is run in privileged mode, it is granted access to all host devices and bypasses most isolation mechanisms provided by the container runtime. In effect, a privileged container can perform nearly any operation that the underlying host can.

Rationale

Running containers in privileged mode significantly weakens the security boundaries that normally protect the host system.

Key risks include:

1. Device Access: Privileged containers gain unrestricted access to all host devices (/dev).
2. Expanded Kernel Capabilities: They inherit all Linux kernel capabilities, enabling actions such as modifying kernel modules, altering system time, or manipulating network configurations.
3. Host Escalation Risk: If an attacker compromises a privileged container, they can often break out of the container environment and obtain root-level access to the EC2 host.

... see more

Remediation

Open File

Remediation

Update the ECS Task Definition to Update Privileged Parameter

Using the AWS CLI

1. Retrieve the existing task definition JSON

   aws ecs describe-task-definition \
       --task-definition {{family-or-full-arn}} \
       --query 'taskDefinition' > task-def.json

2. Edit task-def.json

   For every container in the containerDefinitions list, change privileged to false or remove the key (default is false).

   "containerDefinitions": [
       {
           "name": "{{app}}",
           "image": "{{image}}",
           "privileged": false,
           ...
       }
   ]

3. Register the updated task definition

   aws ecs register-task-definition --cli-input-json file://task-def.json

4. Update your ECS service to use the new task definition revision

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.4] ECS containers should run as non-privileged			1		no data
💼 Cloudaware Framework → 💼 Secure Access			74		no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			27		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84		no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			18		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			27		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			18		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			183		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			122		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	27		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			31		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			22		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72		no data