CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsECS task definitions should not add Linux capabilities beyond defaults and should drop 'NET_RAW'. Adding capabilities allows users to grant some superuser permissions to a process without running that process as root. Either drop 'NET_RAW' and do not add any other capabilities, or drop 'ALL' and only add back the capabilities that you need.
In the container_definitions
block, set linuxParameters.capabilities.drop
to include NET_RAW
or ALL
. If set to ALL
, ensure NET_RAW
is not included in linuxParameters.capabilities.add
.
resource "aws_ecs_task_definition" "valid_drop_net_raw_only" {
family = "valid_drop_net_raw_only"
container_definitions = <<EOF
[
{
"name": "valid_drop_net_raw_only",
"image": "hello-world",
"memory": 128,
"linuxParameters": {
"capabilities": {
"drop": ["NET_RAW"]
}
}
}
]
EOF
requires_compatibilities = ["EC2"]
}