Ensure that all access either via an IAM Role, IAM Group or IAM User to the ECS Execute command is approved. To approve a role, group or role access to this ECS action, the ARN of the IAM resource can be added to an allow list in the rule settings. The ECS Execute command allows users to execute commands within containers running in ECS on EC2 or ECS Fargate. This command gives system administrators greater flexibility and visibility when debugging issues in applications running on ECS.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
The ECS Execute command allows users to execute commands within containers running in ECS on EC2 or ECS Fargate. This command gives system administrators greater flexibility and visibility when debugging issues in applications running on ECS. However it also gives users the ability to access potentially sensitive information stored or being processed in that container. Additionally it could also give a user the ability to access either any databases that a container has access to or make calls to other AWS services that a container has been given permission to do. Therefore it is best practise to users that access to this functionality have been approved.
Audit
Case A: To determine if your Amazon IAM role policies allow the execution of commands on ECS containers (i.e. ecs:ExecuteCommand), perform the following:
Audit
Case B: To determine if your Amazon IAM groups are able to execute commands on ECS containers (i.e. ecs:ExecuteCommand), perform the following:
Audit
Case C: To determine if Amazon IAM users are able to execute commands on ECS containers (i.e. ecs:ExecuteCommand), perform the following:
Remediation / Resolution
This page will not provide any specific steps on how to resolve the findings found during the audit. There are many possible ways to resolve this and your chosen way should be the result of an analysis of the findings from the audit and knowledge of your cloud environment. Below are possible solutions that you can consider:
References
- AWS Documentation
- Amazon Elastic Container Service FAQs
- Amazon ECS Container Agent Versions
- Updating the Amazon ECS Container Agent
- Updating the Amazon ECS Container Agent on an Amazon ECS-optimized AMI
- AWS Command Line Interface (CLI) Documentation
- ecs
- list-clusters
- list-container-instances
- describe-container-instances
- update-container-agent