ECS container definition mounts volumes with mount propagation set to "shared" Affecting ECS service in AWS

Snyk CCSS

Containers / Volumes

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CSA-CCM NIST-800-53

Snyk ID SNYK-CC-00201
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

A shared mount is replicated at all mounts and changes made at any mount point are propagated to all other mount points. Mounting a volume in shared mode does not restrict any other container from mounting and making changes to that volume.

How to fix?

In the container_definitions attribute, ensure each mountPoints.containerPath is not set to shared or rshared mode.

Example Configuration

resource "aws_ecs_task_definition" "valid_mount_propagation_private" {
  family = "valid_mount_propagation_private"

  container_definitions = <<EOF
[
  {
    "name": "valid_mount_propagation_private",
    "image": "hello-world",
    "memory": 128,
    "mountPoints": [
      {
        "containerPath": "/foo:private",
        "sourceVolume": "host_foo"
      },
      {
        "containerPath": "/bar:rprivate",
        "sourceVolume": "host_bar"
      }
    ]
  }
]
EOF

  requires_compatibilities = ["EC2"]

  volume {
    name      = "host_foo"
    host_path = "/foo"
  }

  volume {
    name      = "host_bar"
    host_path = "/bar"
  }
}

Terraform

Resource: aws_ecs_task_definition

References

TaskDefinition