Enforce Non-Privileged Mode for ECS Containers
Verifies that ECS containers are running in non-privileged mode, reducing the risk of unauthorized actions at the host level.
| Rule | ECS containers should run as non-privileged |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description
Containers running on Amazon Elastic Container Service (ECS) should be configured to run as non-privileged users. This best practice is essential for enhancing the security posture of ECS environments, as running containers as non-privileged users reduces the risk of malicious activities and unauthorized access to the host system.
Troubleshooting Steps
If any ECS containers are found running as privileged users, the following steps can be taken to remediate the issue:
- 1.Identify the containers running as privileged users.
- 2.Update the container definitions to run as non-privileged users.
- 3.Restart the containers to apply the changes.
Necessary Codes
To enforce running ECS containers as non-privileged users, you can add the following configuration to the container definitions in the ECS task definition:
{
"name": "your-container-name",
"image": "your-container-image",
"essential": true,
"user": "non-root-user",
"...
}
Remediation Steps
To remediate ECS containers running as privileged users, follow these steps:
- 1.Open the Amazon ECS console.
- 2.Navigate to the task definition that contains the container running as a privileged user.
- 3.Edit the task definition.
- 4.Update the container definition to specify a non-privileged user.
- 5.Save the changes to the task definition.
- 6.Update the service to use the new task definition.
- 7.Verify that the containers are now running as non-privileged users.
By following these steps and ensuring that ECS containers are configured to run as non-privileged users, you can adhere to the AWS Foundational Security Best Practices and enhance the security of your ECS environment.