AWSOverview
Amazon Elastic Container Service (ECS) task definitions are JSON files that describe how a Docker container should be launched within an ECS cluster.
This control only evaluates the in-use (RUNNING Task) revision of an Amazon ECS task definition, configured with the host network mode, exhibits unexpected privilege escalation on the host container.
If the privileged parameter is set to true or the user parameter is set to root or any other highly privileged user, it can lead to security concerns. These containers have elevated privileges, enabling them to access resources and perform operations that are typically restricted.
Remediation guidance
To remediate this issue, identify the task definitions with the host network mode and elevated privileges, and update their parameters accordingly. You can achieve this by creating a new task definition revision using the following steps:
- Open the Amazon ECS classic console.
- Choose the region that contains your task definition.
- In the navigation pane, select "task definitions."
- On the task definitions page, select the checkbox next to the task definition that needs revision, and choose Create new revision.
- Update the
privilegedparameter tofalseand/or change theuserparameter to a low-privileged user. - If your task definition is used in a service, update your service with the updated task definition. For more information, refer to the AWS documentation.
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Check if Amazon ECS task definitions should have secure networking modes and user definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
networkMode: "host", task_NOT: null,
OR:[
{containerSpecs_SOME: { privileged: true }},
{containerSpecs_SOME: { user_CONTAINS: "root" }}
] }
) {...AssetFragment}
}
