AWS Config Rule: ECS Task Definition User For Host Mode Check

Description: Checks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has 'privileged' or 'user' container definitions. The rule is NON_COMPLIANT for task definitions with host network mode and container definitions of privileged=false or empty and user=root or empty.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Middle East (UAE), Asia Pacific (Osaka), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West) Region

This AWS Config Rule only applies to Linux Operating System ECS Containers which have been launched with EC2 Instances setting, not AWS Fargate.

This rule looks at specific your Network Mode configuration within your AWS ECS Task Definition. We are looking for a Task Definition that has the network mode set to host.

When the AWS Fargate (serverless) launch type is selected you must use the awsvpc network mode. If you select the Amazon EC2 instance launch type, you can use different network modes in Linux or Windows. On Linux, you can choose between bridge, awsvpc, host or none. On Windows you can choose between default or awsvpc

Below you will see an example of where to set this in your ECS Task Definition

It is worth noting that you currently cannot choose host network mode from the AWS Console, even with selecting EC2 Instances launch type and Linux as an operating system. This may only be possible using AWS CLI or constructing your ECS Task Definition using IAC such as CloudFormation.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here