ECS task definition mounts sensitive host system directories Affecting ECS service in AWS

Severity Framework Snyk CCSS

Rule category Containers / Volumes

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM NIST-800-53 PCI-DSS

Snyk ID SNYK-CC-00176
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Mounting sensitive host system directories in an ECS task definition grants privileges beyond the boundaries of a container. This creates unnecessary risk and increases the attack surface of the container.

How to fix?

Set the volume.host_path attribute to a directory that is not sensitive.

The following are considered sensitive host directories as defined by the CIS Docker Benchmark v1.2.0:

/
/boot
/dev
/etc
/lib
/proc
/sys
/usr

Example Configuration

resource "aws_ecs_task_definition" "valid_host_directory" {
  family = "valid_host_directory"

  container_definitions = <<EOF
[
  {
    "name": "valid_host_directory",
    "image": "hello-world",
    "memory": 128,
    "mountPoints": [
      {
        "containerPath": "/foo",
        "sourceVolume": "host_foo"
      }
    ]
  }
]
EOF

  requires_compatibilities = ["EC2"]

  volume {
    name      = "host_foo"
    host_path = "/foo"
  }
}

Terraform

Resource: aws_ecs_task_definition

ECS task definition mounts sensitive host system directories Affecting ECS service in AWS

Description

How to fix?

Example Configuration

Terraform

References