Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Containers/ Volumes
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-ControlsCSA-CCMNIST-800-53PCI-DSS
- Snyk IDSNYK-CC-00176
- creditSnyk Research Team
Description
Mounting sensitive host system directories in an ECS task definition grants privileges beyond the boundaries of a container. This creates unnecessary risk and increases the attack surface of the container.
How to fix?
Set the volume.host_path attribute to a directory that is not sensitive.
The following are considered sensitive host directories as defined by the CIS Docker Benchmark v1.2.0:
//boot/dev/etc/lib/proc/sys/usr
Example Configuration
resource "aws_ecs_task_definition" "valid_host_directory" {
family = "valid_host_directory"
container_definitions = <<EOF
[
{
"name": "valid_host_directory",
"image": "hello-world",
"memory": 128,
"mountPoints": [
{
"containerPath": "/foo",
"sourceVolume": "host_foo"
}
]
}
]
EOF
requires_compatibilities = ["EC2"]
volume {
name = "host_foo"
host_path = "/foo"
}
}