ecs-task-definition-user-for-host-mode-check

Checks for unauthorized permissions in your latest active Amazon Elastic Container Service (Amazon ECS) task definitions that have NetworkMode set to host. The rule is NON_COMPLIANT for task definitions with NetworkMode set to host, and container definitions of privileged set to false or empty, and user set to root or empty.

Important

We recommend that you remove elevated privileges from Amazon ECS task definitions. When privileged is true, the container is given elevated permissions on the host container instance (similar to the root user). When running tasks that use the host network mode, do not run containers using the root user (UID 0) for better security. As a security best practice, always use a non-root user.

Identifier: ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK

Resource Types: AWS::ECS::TaskDefinition

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Middle East (UAE), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary) Region

Parameters:

SkipInactiveTaskDefinitions (Optional)
Type: boolean: Boolean flag to not check INACTIVE Amazon EC2 task definitions. If set to 'true', the rule won't evaluate INACTIVE Amazon EC2 task definitions. If set to 'false', the rule will evaluate the latest revision of INACTIVE Amazon EC2 task definitions.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

ecs-task-definition-pid-mode-check

efs-access-point-enforce-root-directory