ECS task definition uses the root user Affecting ECS service in AWS

Snyk CCSS

Containers / Users

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM ISO-27001 NIST-800-53

Snyk ID SNYK-CC-00202
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Running container processes with a non-root user limits vectors by which the account can be compromised. It also encourages the creation and use of role-based accounts that are least privileged.

How to fix?

In the container_definitions attribute, set user to a non-root user.

0, root, and the default user are all root users.

Example Configuration

resource "aws_ecs_task_definition" "valid_user" {
  family = "valid_user"

  container_definitions = <<EOF
[
  {
    "name": "valid_user",
    "image": "hello-world",
    "memory": 128,
    "user": "app"
  }
]
EOF

  requires_compatibilities = ["EC2"]
}

Terraform

Resource: aws_ecs_task_definition

References

ContainerDefinition