DevOps Tips

The one Kubernetes CIS benchmark check that needs to be included in ECS

Orchestration systems like ECS or Kubernetes are generally complex, making security holes easy to introduce. Read more to learn of a serious security vulnerability and how to avoid it.

Albert Heinle
Written by
Albert Heinle

ECS is AWS's home-grown container orchestration service. It is generally simpler than Kubernetes, which is one of the many reasons for its popularity.

Orchestration systems like ECS or Kubernetes are generally complex, and there are many ways to introduce security holes.

One security hole in particular stems from the general idea behind interaction mechanisms between containers and the host system. In over-simplified terms, containers are independent environments sharing the same kernel as the host. A lot of common resources like networking or file system mounts are virtualized. Such virtualizations of operating system functionality are generally there for flexibility in container creation, and to protect the host resources, but they come at the cost of performance (for detailed information and some benchmarks, we recommend this paper.

When you are defining an ECS task definition, you can point

certain operating system functionality to the host, namely:

  • The network interfaces
  • The process namespace
  • The IPC resource namespace

For each one, we do not recommend setting them to the host. In fact, such practice is flagged in the case of Kubernetes by the CIS benchmarks (CIS Kubernetes Benchmark v. 1.6.0, sections 5.2.2., 5.2.3 and 5.2.4). For ECS, this behavior seems to be not flagged currently (May 2022) by common security scanners. The good news is that this check is included in CoGuard, amongst many other security checks that are not included in other tools.

In practical terms, if you define a resource of type `aws_ecs_task_definition` in your TerraForm file, make sure that neither of `ipc_mode`, `pid_mode` and `network_mode` are set to `host`, unless you need to tickle the last bit of performance out of your container. It is always best to play on the safe side. If you use CloudFormation, you need to look for resources of type `AWS::ECS::TaskDefinition`, and the respective keys are `IpcMode`, `PidMode` and `NetworkMode`.

Given the rise in container escape attacks, CoGuard gives you the upper hand. To scan your infrastructure today to uncover your weakest links, contact us at info@coguard.io.

more resources

Similar Posts

View all resources
In The News
Automation and Singletons in Infrastructure Setups

A review of the post mortem on Launchnodes slashing incident. And how to run static analysis of IaC, container and infrastructure to identify slashing risks in infrastructure setups for Web3 validators.

DevOps Tips
Cracking the Container Code: Navigating Kubernetes, Docker, Virtual Machines, Helm, and Secure Orchestration with Code Scanning

Explore the containerization landscape: Kubernetes, Docker, Helm, and orchestration. Secure deployments with code scanning for robust infrastructure as code.

DevOps Tips
MySQL in AWS RDS is NOT automatically following CIS benchmarks!

When using AWS, the RDS service allows for many different SQL engines, including Oracle’s MySQL. Here are some of the things you need to consider and possibly fix before using the RDS instance because out of the box does not mean it's secure!

Explore a test environment

Try here Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out and explore a test environment to run infra audits on sample repositories of web applications and view select reports on CoGuard's interative dashboard today.

Book a Call
© 2021-2024 All rights reserved Heinle Solutions Inc.