Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Approved ECS Execute Command Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (should be achieved)
Rule ID: IAM-067

Ensure that all access either via an IAM Role, IAM Group or IAM User to the ECS Execute command is approved. To approve a role, group or role access to this ECS action, the ARN of the IAM resource can be added to an allow list in the rule settings. The ECS Execute command allows users to execute commands within containers running in ECS on EC2 or ECS Fargate. This command gives system administrators greater flexibility and visibility when debugging issues in applications running on ECS.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The ECS Execute command allows users to execute commands within containers running in ECS on EC2 or ECS Fargate. This command gives system administrators greater flexibility and visibility when debugging issues in applications running on ECS. However it also gives users the ability to access potentially sensitive information stored or being processed in that container. Additionally it could also give a user the ability to access either any databases that a container has access to or make calls to other AWS services that a container has been given permission to do. Therefore it is best practise to users that access to this functionality have been approved.


Audit

Case A: To determine if your Amazon IAM role policies allow the execution of commands on ECS containers (i.e. ecs:ExecuteCommand), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the AWS IAM role that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link to open the attached IAM policy.

07 In the Show Policy dialog box, identify the Action element and its current value. If the element value is set to "ecs:ExecuteCommand", ECS execute command can be performed by users that can assume this IAM role or resources that are attached to this role.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM roles created within your AWS account:

aws iam list-roles
	--output table
	--query 'Roles[*].RoleName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListRoles            |
+----------------------------------+
|  ecs-manager                     |
|  redshift-manager                |
|  ...                             |
|  CloudTrail_CloudWatchLogs_Role  |
+----------------------------------+

03 Run list-role-policies command (OSX/Linux/UNIX) using your IAM role identifier to list the inline policies for the selected role:

aws iam list-role-policies
  --role-name ecs-manager

04 The command output should return the policy names attached to the IAM role:

{
  "PolicyNames": [
    "ecs-admin-custom-policy"
  ]
}

05 Run get-role-policy command (OSX/Linux/UNIX) to describe the policy document (JSON format) attached to the selected IAM role:

aws iam get-role-policy
  --role-name ecs-manager
  --policy-name ecs-admin-custom-policy

06 The command output should return the IAM role policy metadata (including the policy document - highlighted):

{
  "RoleName": "ecs-manager",
  "PolicyDocument": {
    "Statement": [
      {
        "Action": "ecs:ExecuteCommand",
        "Effect": "Allow",
        "Resource": "*",
        "Sid": "ECSExecuteCommand"
      }
    ]
  },
  "PolicyName": "ecs-admin-custom-policy"
}

If the Action element value for the returned policy document is set to "ecs:ExecuteCommand" (as shown in the example above), therefore users that can assume this role or resources attached to this role can execute commands in ECS containers.

07 For managed policies, run list-attached-role-policies command (OSX/Linux/UNIX) using your IAM role identifier to list the attached policies for the selected role.

aws iam list-attached-role-policies
  --role-name ecs-manager

08 The command output should return a list of the attached managed policies:

{
  "AttachedPolicies": [
    {
      "PolicyName": "MyPolicy",
      "PolicyArn": "arn:aws:iam:123456789012:aws:policy/MyPolicy"
    }
  ],
  "IsTruncated": false
}

09 For each managed policy, run the get-policy command (OSX/Linux/UNIX) using the policy ARN returned in the previous step, this will return the policy version:

aws iam get-policy
  --policy-arn "arn:aws:iam:123456789012:aws:policy/MyPolicy"

10 Run the get-policy-version command (OSX/Linux/UNIX) using the policy ARN and the version returned in the DefaultVersionId field in the previous command:

aws iam get-policy-version
  --policy-arn "arn:aws:iam:123456789012:aws:policy/MyPolicy"
  --version-id v2

11 The command output should return the IAM policy document:

{
  "PolicyVersion": {
    "CreateDate": "2015-06-17T19:23;32Z",
    "VersionId": "v2",
    "Document": {
      "Version": "2012-10-17",
      "Statement": [
          {
            "Action":"ecs:ExecuteCommand",
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
   "IsDefaultVersion": "false"
  }
}

If the Action element value for the returned policy document is set to "ecs:ExecuteCommand" (as shown in the example above), therefore users that can assume this role or resources attached to this role can execute commands in ECS containers.

Audit

Case B: To determine if your Amazon IAM groups are able to execute commands on ECS containers (i.e. ecs:ExecuteCommand), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Groups.

04 Click on the AWS IAM group that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link to open the attached IAM policy.

07 In the Show Policy dialog box, identify the Action element and its current value. If the element value is set to "ecs:ExecuteCommand", ECS execute command can be performed by users that are members of this IAM group.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM groups created within your AWS account:

aws iam list-groups
	--output table
	--query 'Groups[*].GroupName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListGroups           |
+----------------------------------+
|  Admins                          |
|  managers                        |
|  ...                             |
|  ecs-admins                      |
+----------------------------------+

03 Run list-group-policies command (OSX/Linux/UNIX) using your IAM group identifier to list the inline policies for the selected group:

aws iam list-group-policies
  --group-name ecs-admins

04 The command output should return the policy names attached to the IAM group:

{
  "PolicyNames": [
    "ecs-admin-custom-policy"
  ]
}

05 Run get-group-policy command (OSX/Linux/UNIX) to describe the policy document (JSON format) attached to the selected IAM group:

aws iam get-group-policy
  --group-name ecs-admins
  --policy-name ecs-admin-custom-policy

06 The command output should return the IAM group policy metadata (including the policy document - highlighted):

{
  "GroupName": "ecs-admins",
  "PolicyDocument": {
    "Statement": [
      {
        "Action": "ecs:ExecuteCommand",
        "Effect": "Allow",
        "Resource": "*",
        "Sid": "ECSExecuteCommand"
      }
    ]
  },
  "PolicyName": "ecs-admin-custom-policy"
}

If the Action element value for the returned policy document is set to "ecs:ExecuteCommand" (as shown in the example above), therefore IAM users that are members of this group can execute commands in ECS containers.

07 For managed policies, run list-attached-group-policies command (OSX/Linux/UNIX) using your IAM group identifier to list the attached policies for the selected group.

aws iam list-attached-group-policies
  --group-name ecs-admins

08 The command output should return a list of the attached managed policies:

{
  "AttachedPolicies": [
    {
      "PolicyName": "MyPolicy",
      "PolicyArn": "arn:aws:iam:123456789012:aws:policy/MyPolicy"
    }
  ],
  "IsTruncated": false
}

09 For each managed policy, run the get-policy command (OSX/Linux/UNIX) using the policy ARN returned in the previous step, this will return the policy version:

aws iam get-policy
  --policy-arn "arn:aws:iam:123456789012:aws:policy/MyPolicy"

10 Run the get-policy-version command (OSX/Linux/UNIX) using the policy ARN and the version returned in the DefaultVersionId field in the previous command:

aws iam get-policy-version
  --policy-arn "arn:aws:iam:123456789012:aws:policy/MyPolicy"
  --version-id v2

11 The command output should return the IAM policy document:

{
  "PolicyVersion": {
    "CreateDate": "2015-06-17T19:23;32Z",
    "VersionId": "v2",
    "Document": {
      "Version": "2012-10-17",
      "Statement": [
          {
            "Action":"ecs:ExecuteCommand",
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
   "IsDefaultVersion": "false"
  }
}

If the Action element value for the returned policy document is set to "ecs:ExecuteCommand" (as shown in the example above), therefore users that can assume this group or resources attached to this group can execute commands in ECS containers.

Audit

Case C: To determine if Amazon IAM users are able to execute commands on ECS containers (i.e. ecs:ExecuteCommand), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the AWS IAM Users that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link to open the attached IAM policy.

07 In the Show Policy dialog box, identify the Action element and its current value. If the element value is set to "ecs:ExecuteCommand", ECS execute command can be performed by that IAM user.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM users created within your AWS account:

aws iam list-users
	--output table
	--query 'Users[*].UserName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListUsers            |
+----------------------------------+
|  Admin                           |
|  Paul                            |
|  ...                             |
|  bob                             |
+----------------------------------+

03 Run list-user-policies command (OSX/Linux/UNIX) using your IAM user identifier to list the inline policies for the selected user:

aws iam list-user-policies
  --user-name bob

04 The command output should return the policy names attached to the IAM user:

{
  "PolicyNames": [
    "ecs-admin-custom-policy"
  ]
}

05 Run get-user-policy command (OSX/Linux/UNIX) to describe the policy document (JSON format) attached to the selected IAM user:

aws iam get-user-policy
  --user-name bob
  --policy-name ecs-admin-custom-policy

06 The command output should return the IAM user policy metadata (including the policy document - highlighted):

{
  "UserName": "bob",
  "PolicyDocument": {
    "Statement": [
      {
        "Action": "ecs:ExecuteCommand",
        "Effect": "Allow",
        "Resource": "*",
        "Sid": "ECSExecuteCommand"
      }
    ]
  },
  "PolicyName": "ecs-admin-custom-policy"
}

If the Action element value for the returned policy document is set to "ecs:ExecuteCommand" (as shown in the example above), therefore this IAM user can execute commands in ECS containers.

07 For managed policies, run list-attached-user-policies command (OSX/Linux/UNIX) using your IAM user identifier to list the attached policies for the selected user.

aws iam list-attached-user-policies
  --user-name bob

08 The command output should return a list of the attached managed policies:

{
  "AttachedPolicies": [
    {
      "PolicyName": "MyPolicy",
      "PolicyArn": "arn:aws:iam:123456789012:aws:policy/MyPolicy"
    }
  ],
  "IsTruncated": false
}

09 For each managed policy, run the get-policy command (OSX/Linux/UNIX) using the policy ARN returned in the previous step, this will return the policy version:

aws iam get-policy
  --policy-arn "arn:aws:iam:123456789012:aws:policy/MyPolicy"

10 Run the get-policy-version command (OSX/Linux/UNIX) using the policy ARN and the version returned in the DefaultVersionId field in the previous command:

aws iam get-policy-version
  --policy-arn "arn:aws:iam:123456789012:aws:policy/MyPolicy"
  --version-id v2

11 The command output should return the IAM policy document:

{
  "PolicyVersion": {
    "CreateDate": "2015-06-17T19:23;32Z",
    "VersionId": "v2",
    "Document": {
      "Version": "2012-10-17",
      "Statement": [
          {
            "Action":"ecs:ExecuteCommand",
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
   "IsDefaultVersion": "false"
  }
}

If the Action element value for the returned policy document is set to "ecs:ExecuteCommand" (as shown in the example above), therefore users that can assume this user or resources attached to this user can execute commands in ECS containers.

Remediation / Resolution

This page will not provide any specific steps on how to resolve the findings found during the audit. There are many possible ways to resolve this and your chosen way should be the result of an analysis of the findings from the audit and knowledge of your cloud environment. Below are possible solutions that you can consider:

01 If the IAM role, user or groups has been approved to have this level of access, then you can add the ARN of the IAM resource to the allow list in the rule settings. For IAM roles, you should consider who can assume that role.

02 You can edit the attached policy that permits this access, so it no longer permits this action. You should consider that this could affect other IAM resources that use this policy.

03 You can select a different IAM policy to attach to the IAM resource that does not permit this level of access.

04 If access is granted through an inline policy, you can simply edit that policy to deny access to that action.

References

Publication date Feb 18, 2021