11

ECS Config Rules

Last Update 3 months ago

AWS Config Rule: ECS Containers Non Privileged AWS Config Rule: ECS Container Insights Enabled AWS Config Rule: ECS No Environment Secrets AWS Config Rule: ECS Fargate Latest Platform Version AWS Config Rule: ECS Containers ReadOnly Access

AWS Config Rule: ECS Task Definition Non-root User

ECS_TASK_DEFINITION_NONROOT_USER

Eduardo Van Cauteren

Last Update 6 months ago

Description: Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on. The rule is NON_COMPLIANT if the ‘user’ parameter is not present or set to ‘root’. Note: This rule only evaluates the latest active revision of an Amazon ECS task definition.


Trigger type: Configuration changes


AWS Region: All supported AWS regions except China (Beijing), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Israel (Tel Aviv), Europe (Spain), China (Ningxia), Europe (Zurich) Region

How to Resolve Manually

A task definition is a blueprint for your application. It is a text file in JSON format that describes the parameters and one or more containers that form your application.

This config rules checks if the latest active version of a Task Definition does not contain 'root' or an empty value for the 'user' parameter. If the user 'root' is present or if the parameter is missing, the rule will be marked non-compliant.


In order to resolve this you will need to create a new revision for your particular non-compliant task definition. To do so head on over to the Elastic Container Service (ECS) and click on Task definitions from the left menu. From the list, click on the definition that is not compliant and then choose the latest revision.

At the properties screen, if you click on the JSON tab, you can confirm that the 'user' parameter is whether not present or is using 'root' as user. To resolve the issue, click on Create New Revision button at the top right, then you can select Create new revision with JSON to use the current JSON definition as a baseline.
Add the user parameter that fits your needs and save the changes. You can check the following screenshot as a general reference:

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us