ECS task definitions should not use the root user¶
Description¶
Running container processes with a non-root user limits vectors by which the account can be compromised. It also encourages the creation and use of role-based accounts that are least privileged.
The user
property must be set to a non-root user for each ContainerDefinition
within the task definition. For more information about the user
property, see ContainerDefinition in the ECS API Reference.
Console Remediation Steps¶
Navigate to ECS.
Select the Region that contains your task definition.
In the left pane, select Task Definitions.
Check the task definition and click Create new revision.
On the Create new revision of task definition page, change the container definitions to not use the root user and click Update.
Select Create.
If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see Updating a service.
CLI Remediation Steps¶
Step 1 is to set the user in the image:
The Dockerfile for each container image contains the information below:
USER <username or ID>
To create a user in the container:
RUN useradd -d /home/username -m -s /bin/bash username <USER> username
Step 2 is to have a non-root user available in your image and you’ll need to specify it in the container definition:
To register a new revision of the task definition with a corrected container definition:
aws ecs register-task-definition
--family <value>
[--task-role-arn <value>]
[--execution-role-arn <value>]
[--network-mode <value>]
--container-definitions <value>
[--volumes <value>]
[--placement-constraints <value>]
[--requires-compatibilities <value>]
[--cpu <value>]
[--memory <value>]
[--tags <value>]
[--pid-mode <value>]
[--ipc-mode <value>]
[--proxy-configuration <value>]
[--inference-accelerators <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
Update the service to use the new task definition:
aws ecs update-service
[--cluster <value>]
--service <value>
[--desired-count <value>]
[--task-definition <value>]
[--capacity-provider-strategy <value>]
[--deployment-configuration <value>]
[--network-configuration <value>]
[--placement-constraints <value>]
[--placement-strategy <value>]
[--platform-version <value>]
[--force-new-deployment | --no-force-new-deployment]
[--health-check-grace-period-seconds <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]