ECS task definitions have their own unique process namespace or share the host's process namespace
Description
This policy is checking for Amazon Elastic Container Service (ECS) task definitions that are configured to share the host's process namespace. This is considered a bad or risky configuration because it could potentially allow a process within a container to gain unrestricted access to all processes running on the host system. This would breach the isolation barriers of containers, paving way for potential security threats such as unauthorized access and data leakages. Therefore, ECS task definitions should be configured with their own isolated process namespaces to uphold the security and integrity of the host system and other containers.
Code Example
resource "aws_ecs_task_definition" "fail" {
family = "service"
container_definitions = jsonencode([
{
name = "first"
image = "service-first"
cpu = 10
memory = 512
essential = true
portMappings = [
{
containerPort = 80
hostPort = 80
}
]
},
{
name = "second"
image = "service-second"
cpu = 10
memory = 256
essential = true
privilege = true
- pidMode = "host"
portMappings = [
{
containerPort = 443
hostPort = 443
}
]
}
])
volume {
name = "service-storage"
host_path = "/ecs/service-storage"
}
placement_constraints {
type = "memberOf"
expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
}
}Remediation
Terraform
- Resource: aws_ecs_task_definition
- Arguments: container_definitions.pidMode
To fix this issue, you need to declare `pid_mode` in the `aws_ecs_task_definition` resource, and do not set it to `host`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0382 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_335 |