ECS task definitions should not use the root user

Description

Running container processes with a non-root user limits vectors by which the account can be compromised. It also encourages the creation and use of role-based accounts that are least privileged.

The user property must be set to a non-root user for each ContainerDefinition within the task definition. For more information about the user property, see ContainerDefinition in the ECS API Reference.

Console Remediation Steps

  • Navigate to ECS.

  • Select the Region that contains your task definition.

  • In the left pane, select Task Definitions.

  • Check the task definition and click Create new revision.

  • On the Create new revision of task definition page, change the container definitions to not use the root user and click Update.

  • Select Create.

  • If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see Updating a service.

CLI Remediation Steps

Step 1 is to set the user in the image:

  • The Dockerfile for each container image contains the information below:

USER <username or ID>
  • To create a user in the container:

RUN useradd -d /home/username -m -s /bin/bash username <USER> username

Step 2 is to have a non-root user available in your image and you’ll need to specify it in the container definition:

  • To register a new revision of the task definition with a corrected container definition:

aws ecs register-task-definition
--family <value>
[--task-role-arn <value>]
[--execution-role-arn <value>]
[--network-mode <value>]
--container-definitions <value>
[--volumes <value>]
[--placement-constraints <value>]
[--requires-compatibilities <value>]
[--cpu <value>]
[--memory <value>]
[--tags <value>]
[--pid-mode <value>]
[--ipc-mode <value>]
[--proxy-configuration <value>]
[--inference-accelerators <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
  • Update the service to use the new task definition:

aws ecs update-service
[--cluster <value>]
--service <value>
[--desired-count <value>]
[--task-definition <value>]
[--capacity-provider-strategy <value>]
[--deployment-configuration <value>]
[--network-configuration <value>]
[--placement-constraints <value>]
[--placement-strategy <value>]
[--platform-version <value>]
[--force-new-deployment | --no-force-new-deployment]
[--health-check-grace-period-seconds <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]