Severity Framework
Snyk CCSS
Rule category
Containers / Volumes
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
CSA-CCM
NIST-800-53
PCI-DSS
- Snyk ID SNYK-CC-00176
- credit Snyk Research Team
Description
Mounting sensitive host system directories in an ECS task definition grants privileges beyond the boundaries of a container. This creates unnecessary risk and increases the attack surface of the container.
How to fix?
Set the volume.host_path
attribute to a directory that is not sensitive.
The following are considered sensitive host directories as defined by the CIS Docker Benchmark v1.2.0:
/
/boot
/dev
/etc
/lib
/proc
/sys
/usr
Example Configuration
resource "aws_ecs_task_definition" "valid_host_directory" {
family = "valid_host_directory"
container_definitions = <<EOF
[
{
"name": "valid_host_directory",
"image": "hello-world",
"memory": 128,
"mountPoints": [
{
"containerPath": "/foo",
"sourceVolume": "host_foo"
}
]
}
]
EOF
requires_compatibilities = ["EC2"]
volume {
name = "host_foo"
host_path = "/foo"
}
}